diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a9dfb2fd6e..ab5ed2e172 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,5 +6,4 @@ # review when someone opens a pull request. .github/CODEOWNERS @Azure/eslz-codeownersadmins -.github/** @Azure/eslz-admins -eslzArm/** @Azure/eslz-armteam +* @Azure/alz-core-team-technical diff --git a/.github/ISSUE_TEMPLATE/Policy_Submission.yml b/.github/ISSUE_TEMPLATE/Policy_Submission.yml new file mode 100644 index 0000000000..adb51eb9dc --- /dev/null +++ b/.github/ISSUE_TEMPLATE/Policy_Submission.yml @@ -0,0 +1,84 @@ +name: Policy Submission +description: Submit an Azure policy/initiative for Azure Landing Zone +title: "[Policy]: " +labels: ["policy"] +projects: [] +assignees: + - springstone +body: + - type: markdown + attributes: + value: Thanks for taking the time to fill out this policy submission! + - type: dropdown + id: policytype + attributes: + label: Policy Definition or Initiative + description: Are you proposing a policy definition or initiative definition? + options: + - Definition + - Initiative + - Not sure + default: 0 + validations: + required: true + - type: dropdown + id: builtincustom + attributes: + label: Built-in/Custom + description: Is the policy definition or initiative built-in or are you proposing a custom one? + options: + - Built-in + - Custom + - Not sure + default: 0 + validations: + required: true + - type: input + id: resourceid + attributes: + label: Built-in policy definition or initiative ID + description: If this is for a built in policy definition or initiative, please provide the resource ID + value: "" + validations: + required: false + - type: textarea + id: description + attributes: + label: Custom policy definition or initiative description + description: If this is a custom policy definition or initiative, please provide a description of what it should do. + placeholder: A policy that + value: "A policy that does ..." + validations: + required: true + - type: dropdown + id: assignmentscope + attributes: + label: Scope + description: What scope (Management Group) should the policy definition or initiative be assigned to? + options: + - Intermediate Root + - Platform + - Connectivity + - Management + - Identity + - Landing Zones + - Corp + - Online + - Decommissioned + - Sandbox + - Multiple / Other + default: 0 + validations: + required: true + - type: checkboxes + id: defaultassignment + attributes: + label: Default Assignment + description: Should the policy definition or initiative be assigned by default to the scope above in Azure Landing Zone? + options: + - label: "Yes" + - type: textarea + id: Comments + attributes: + label: Comments/thoughts + description: Do you have any additional comments/thoughts? diff --git a/.github/actions-pester/PTF-TestPolicies.ps1 b/.github/actions-pester/PTF-TestPolicies.ps1 new file mode 100644 index 0000000000..f55c4b6955 --- /dev/null +++ b/.github/actions-pester/PTF-TestPolicies.ps1 @@ -0,0 +1,63 @@ +Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose +Import-Module Pester -Force + +function RunPester +{ + param ( + [Parameter()] + [String]$PolicyTest + ) + + $pesterConfiguration = @{ + Run = @{ + Container = New-PesterContainer -Path $PolicyTest + PassThru = $true + } + Output = @{ + Verbosity = 'Detailed' + CIFormat = 'Auto' + } + } + $result = Invoke-Pester -Configuration $pesterConfiguration + #exit $result.FailedCount +} + +$ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M") +if ([String]::IsNullOrEmpty($ModifiedFiles)) +{ + Write-Warning "These are the modified policies: $($ModifiedFiles)" +} +else +{ + Write-Warning "There are no modified policies" +} + +$AddedFiles = @(Get-PolicyFiles -DiffFilter "A") +if ([String]::IsNullOrEmpty($AddedFiles)) +{ + Write-Warning "These are the added policies: $($AddedFiles)" +} +else +{ + Write-Warning "There are no added policies" +} + +$ModifiedAddedFiles = $ModifiedFiles + $AddedFiles + +$ModifiedAddedFiles | ForEach-Object { + + $PolicyFile = Split-Path $_ -Leaf + $PolicyFileClean = $PolicyFile -replace ".json", "" + + $testPath = "tests/policy/$($PolicyFileClean).Tests.ps1" + + if (Test-Path $testPath) + { + Write-Warning "Running pester tests on $PolicyFileClean" + RunPester($testPath) + } + else + { + Write-Warning "There are no tests for $PolicyFileClean" + } +} \ No newline at end of file diff --git a/.github/actions-pester/PolicyPesterTestHelper.psm1 b/.github/actions-pester/PolicyPesterTestHelper.psm1 new file mode 100644 index 0000000000..dff9b8f264 --- /dev/null +++ b/.github/actions-pester/PolicyPesterTestHelper.psm1 @@ -0,0 +1,133 @@ +<# +.DESCRIPTION +Uses git diff to return a list of policy definitions and policy set definition file paths. +#> + +function Get-PolicyFiles +{ + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()] + [String]$DiffFilter, + + [Parameter()] + [String]$PolicyDir = "$($env:POLICY_DIR)", + + [Parameter()] + [String]$PolicySetDir = "$($env:POLICYSET_DIR)", + + [Parameter()] + [String]$PRBranch = "$($env:GITHUB_HEAD_REF)", + + [Parameter()] + [String]$BaseBranch = "$($env:GITHUB_BASE_REF)" + ) + + $PolicyFiles = @(git diff --diff-filter=$DiffFilter --name-only origin/main $PRBranch -- $PolicyDir) + $PolicySetsFiles = @(git diff --diff-filter=$DiffFilter --name-only origin/main $PRBranch -- $PolicySetDir) + + $PolicyAndSetFiles = $PolicyFiles + $PolicySetsFiles + + $PolicyAndSetFiles | ForEach-Object { + return $_ + } +} + +function Remove-JSONMetadata { + + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [hashtable] $TemplateObject + ) + $TemplateObject.Remove('metadata') + + # Differantiate case: With user defined types (resources property is hashtable) vs without user defined types (resources property is array) + if ($TemplateObject.resources.GetType().BaseType.Name -eq 'Hashtable') { + # Case: Hashtable + $resourceIdentifiers = $TemplateObject.resources.Keys + for ($index = 0; $index -lt $resourceIdentifiers.Count; $index++) { + if ($TemplateObject.resources[$resourceIdentifiers[$index]].type -eq 'Microsoft.Resources/deployments' -and $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template.GetType().BaseType.Name -eq 'Hashtable') { + $TemplateObject.resources[$resourceIdentifiers[$index]] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$resourceIdentifiers[$index]].properties.template + } + } + } else { + # Case: Array + for ($index = 0; $index -lt $TemplateObject.resources.Count; $index++) { + if ($TemplateObject.resources[$index].type -eq 'Microsoft.Resources/deployments' -and $TemplateObject.resources[$index].properties.template.GetType().BaseType.Name -eq 'Hashtable') { + $TemplateObject.resources[$index] = Remove-JSONMetadata -TemplateObject $TemplateObject.resources[$index].properties.template + } + } + } + + return $TemplateObject +} + +function ConvertTo-OrderedHashtable { + + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [string] $JSONInputObject # Must be string to workaround auto-conversion + ) + + $JSONObject = ConvertFrom-Json $JSONInputObject -AsHashtable -Depth 99 -NoEnumerate + $orderedLevel = [ordered]@{} + + if (-not ($JSONObject.GetType().BaseType.Name -eq 'Hashtable')) { + return $JSONObject # E.g. in primitive data types [1,2,3] + } + + foreach ($currentLevelKey in ($JSONObject.Keys | Sort-Object -Culture 'en-US')) { + + if ($null -eq $JSONObject[$currentLevelKey]) { + # Handle case in which the value is 'null' and hence has no type + $orderedLevel[$currentLevelKey] = $null + continue + } + + switch ($JSONObject[$currentLevelKey].GetType().BaseType.Name) { + { $PSItem -in @('Hashtable') } { + $orderedLevel[$currentLevelKey] = ConvertTo-OrderedHashtable -JSONInputObject ($JSONObject[$currentLevelKey] | ConvertTo-Json -Depth 99) + } + 'Array' { + $arrayOutput = @() + + # Case: Array of arrays + $arrayElements = $JSONObject[$currentLevelKey] | Where-Object { $_.GetType().BaseType.Name -eq 'Array' } + foreach ($array in $arrayElements) { + if ($array.Count -gt 1) { + # Only sort for arrays with more than one item. Otherwise single-item arrays are casted + $array = $array | Sort-Object -Culture 'en-US' + } + $arrayOutput += , (ConvertTo-OrderedHashtable -JSONInputObject ($array | ConvertTo-Json -Depth 99)) + } + + # Case: Array of objects + $hashTableElements = $JSONObject[$currentLevelKey] | Where-Object { $_.GetType().BaseType.Name -eq 'Hashtable' } + foreach ($hashTable in $hashTableElements) { + $arrayOutput += , (ConvertTo-OrderedHashtable -JSONInputObject ($hashTable | ConvertTo-Json -Depth 99)) + } + + # Case: Primitive data types + $primitiveElements = $JSONObject[$currentLevelKey] | Where-Object { $_.GetType().BaseType.Name -notin @('Array', 'Hashtable') } | ConvertTo-Json -Depth 99 | ConvertFrom-Json -AsHashtable -NoEnumerate -Depth 99 + if ($primitiveElements.Count -gt 1) { + $primitiveElements = $primitiveElements | Sort-Object -Culture 'en-US' + } + $arrayOutput += $primitiveElements + + if ($array.Count -gt 1) { + # Only sort for arrays with more than one item. Otherwise single-item arrays are casted + $arrayOutput = $arrayOutput | Sort-Object -Culture 'en-US' + } + $orderedLevel[$currentLevelKey] = $arrayOutput + } + Default { + # string/int/etc. + $orderedLevel[$currentLevelKey] = $JSONObject[$currentLevelKey] + } + } + } + + return $orderedLevel +} diff --git a/.github/actions-pester/Test-BuildPolicies.Tests.ps1 b/.github/actions-pester/Test-BuildPolicies.Tests.ps1 new file mode 100644 index 0000000000..eb50026ebf --- /dev/null +++ b/.github/actions-pester/Test-BuildPolicies.Tests.ps1 @@ -0,0 +1,62 @@ +Describe 'UnitTest-BuildPolicies' { + + BeforeAll { + Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose + + New-Item -Name "buildout" -Type Directory + + # Build the PR policies, initiatives, and role definitions to a temp folder + bicep build ./src/templates/policies.bicep --outfile ./buildout/policies.json + bicep build ./src/templates/initiatives.bicep --outfile ./buildout/initiatives.json + bicep build ./src/templates/roles.bicep --outfile ./buildout/customRoleDefinitions.json + } + + Context "Check Policy Builds" { + + It "Check policies build done" { + $prFile = "./eslzArm/managementGroupTemplates/policyDefinitions/policies.json" + $buildFile = "./buildout/policies.json" + + $buildJson = Remove-JSONMetadata -TemplateObject (Get-Content $buildFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable) + $buildJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $buildJson -Depth 99) + + $prJson = Remove-JSONMetadata -TemplateObject (Get-Content $prFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable) + $prJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $prJson -Depth 99) + + # Compare files we built to the PR files + (ConvertTo-Json $buildJson -Depth 99) | Should -Be (ConvertTo-Json $prJson -Depth 99) -Because "the [policies.json] should be based on the latest [policies.bicep] file. Please run [` bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json `] using the latest Bicep CLI version." + } + + It "Check initiatives build done" { + $PRfile = "./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json" + $buildFile = "./buildout/initiatives.json" + + $buildJson = Remove-JSONMetadata -TemplateObject (Get-Content $buildFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable) + $buildJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $buildJson -Depth 99) + + $prJson = Remove-JSONMetadata -TemplateObject (Get-Content $prFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable) + $prJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $prJson -Depth 99) + + # Compare files we built to the PR files + (ConvertTo-Json $buildJson -Depth 99) | Should -Be (ConvertTo-Json $prJson -Depth 99) -Because "the [initiatives.json] should be based on the latest [initiatives.bicep] file. Please run [` bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json `] using the latest Bicep CLI version." + } + + It "Check role definitions build done" { + $PRfile = "./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json" + $buildFile = "./buildout/customRoleDefinitions.json" + + $buildJson = Remove-JSONMetadata -TemplateObject (Get-Content $buildFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable) + $buildJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $buildJson -Depth 99) + + $prJson = Remove-JSONMetadata -TemplateObject (Get-Content $prFile -Raw | ConvertFrom-Json -Depth 99 -AsHashtable) + $prJson = ConvertTo-OrderedHashtable -JSONInputObject (ConvertTo-Json $prJson -Depth 99) + + # Compare files we built to the PR files + (ConvertTo-Json $buildJson -Depth 99) | Should -Be (ConvertTo-Json $prJson -Depth 99) -Because "the [customRoleDefinitions.json] should be based on the latest [customRoleDefinitions.bicep] file. Please run [` bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json `] using the latest Bicep CLI version." + } + } + + AfterAll { + # These are not the droids you are looking for... + } +} \ No newline at end of file diff --git a/.github/actions-pester/Test-ModifiedPolicies.Tests.ps1 b/.github/actions-pester/Test-ModifiedPolicies.Tests.ps1 new file mode 100644 index 0000000000..6b49cb1531 --- /dev/null +++ b/.github/actions-pester/Test-ModifiedPolicies.Tests.ps1 @@ -0,0 +1,150 @@ +Describe 'UnitTest-ModifiedPolicies' { + BeforeAll { + Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose + + $ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M") + if ($ModifiedFiles -ne $null) + { + Write-Warning "These are the modified policies: $($ModifiedFiles)" + } + else + { + Write-Warning "There are no modified policies" + } + + $AddedFiles = @(Get-PolicyFiles -DiffFilter "A") + if ($AddedFiles -ne $null) + { + Write-Warning "These are the added policies: $($AddedFiles)" + } + else + { + Write-Warning "There are no added policies" + } + + $ModifiedAddedFiles = $ModifiedFiles + $AddedFiles + } + + + + Context "Validate policy metadata" { + + It "Check policy metadata version exists" { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $PolicyMetadataVersion = $PolicyJson.properties.metadata.version + Write-Warning "$($PolicyFile) - The current metadata version for the policy in the PR branch is : $($PolicyMetadataVersion)" + $PolicyMetadataVersion | Should -Not -BeNullOrEmpty + } + } + + It "Check policy metadata version is greater than its previous version" -Skip:($ModifiedFiles -ne $null) { + $ModifiedFiles | ForEach-Object { + $PolicyFile = Split-Path $_ -Leaf + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PreviousPolicyDefinitionRawUrl = "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/$_" + $PreviousPolicyDefinitionOutputFile = "./previous-$PolicyFile" + Invoke-WebRequest -Uri $PreviousPolicyDefinitionRawUrl -OutFile $PreviousPolicyDefinitionOutputFile + $PreviousPolicyDefinitionsFile = Get-Content $PreviousPolicyDefinitionOutputFile -Raw | ConvertFrom-Json + $PreviousPolicyDefinitionsFileVersion = $PreviousPolicyDefinitionsFile.properties.metadata.version + Write-Warning "$($PolicyFile) - The current metadata version for the policy in the main branch is : $($PreviousPolicyDefinitionsFileVersion)" + $PolicyMetadataVersion = $PolicyJson.properties.metadata.version + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + Write-Warning "$($PolicyFile) - The current metadata version for the policy in the PR branch is : $($PolicyMetadataVersion)" + if (!$PreviousPolicyDefinitionsFileVersion.EndsWith("deprecated")) { + $PolicyMetadataVersion | Should -BeGreaterThan $PreviousPolicyDefinitionsFileVersion + } + } + } + + It "Check deprecated policy contains all required metadata" { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $PolicyMetadataVersion = $PolicyJson.properties.metadata.version + Write-Warning "$($PolicyFile) - This is the policy metadata version: $($PolicyMetadataVersion)" + if ($PolicyMetadataVersion.EndsWith("deprecated")) { + Write-Warning "$($PolicyFile) - Should have the deprecated metadata flag set to true" + $PolicyMetadataDeprecated = $PolicyJson.properties.metadata.deprecated + $PolicyMetadataDeprecated | Should -BeTrue + Write-Warning "$($PolicyFile) - Should have the supersededBy metadata value set" + $PolicyMetadataSuperseded = $PolicyJson.properties.metadata.supersededBy + $PolicyMetadataSuperseded | Should -Not -BeNullOrEmpty + Write-Warning "$($PolicyFile) - [Deprecated] should be in the display name" + $PolicyPropertiesDisplayName = $PolicyJson.properties.displayName + $PolicyPropertiesDisplayName | Should -Match "[DEPRECATED]" + } + } + } + + It "Check policy metadata category exists" { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $PolicyMetadataCategories = $PolicyJson.properties.metadata.category + Write-Warning "$($PolicyFile) - These are the policy metadata categories: $($PolicyMetadataCategories)" + $PolicyMetadataCategories | Should -Not -BeNullOrEmpty + } + } + + It "Check policy metadata source is set to Enterprise-Scale repo" { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $PolicyMetadataSource = $PolicyJson.properties.metadata.source + Write-Warning "$($PolicyFile) - This is the policy source link: $($PolicyMetadataSource)" + $PolicyMetadataSource | Should -Be 'https://github.com/Azure/Enterprise-Scale/' + } + } + + It "Check policy metadata ALZ Environments are specified for Public, US Gov or China Clouds" { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $AlzEnvironments = @("AzureCloud", "AzureChinaCloud", "AzureUSGovernment") + $PolicyEnvironments = $PolicyJson.properties.metadata.alzCloudEnvironments + Write-Warning "$($PolicyFile) - These are the environments: $($PolicyEnvironments)" + $PolicyJson.properties.metadata.alzCloudEnvironments | Should -BeIn $AlzEnvironments + } + } + + It "Check policy metadata name matches policy filename" { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $PolicyMetadataName = $PolicyJson.name + $PolicyFileNoExt = [System.IO.Path]::GetFileNameWithoutExtension($PolicyFile) + if ($PolicyFileNoExt.Contains("AzureChinaCloud") -or $PolicyFileNoExt.Contains("AzureUSGovernment")) + { + $PolicyFileNoExt = $PolicyFileNoExt.Substring(0, $PolicyFileNoExt.IndexOf(".")) + } + Write-Warning "$($PolicyFileNoExt) - This is the policy metadata name: $($PolicyMetadataName)" + $PolicyMetadataName | Should -Be $PolicyFileNoExt + } + } + + } + + Context "Validate policy parameters" { + It 'Check for policy parameters have default values' { + $ModifiedAddedFiles | ForEach-Object { + $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json + $PolicyFile = Split-Path $_ -Leaf + $PolicyParameters = $PolicyJson.properties.parameters + if ($PolicyParameters | Get-Member -MemberType NoteProperty) + { + $Parameters = $PolicyParameters | Get-Member -MemberType NoteProperty | Select-Object -Expand Name + Write-Warning "$($PolicyFile) - These are the params: $($Parameters)" + $Parameters = $PolicyParameters | Get-Member -MemberType NoteProperty + $Parameters | ForEach-Object { + $key = $_.name + $defaultValue = $PolicyParameters.$key | Get-Member -MemberType NoteProperty | Where-Object Name -EQ "defaultValue" + Write-Warning "$($PolicyFile) - Parameter: $($key) - Default Value: $($defaultValue)" + $PolicyParameters.$key.defaultValue | Should -Not -BeNullOrEmpty + } + } + } + } + } + } diff --git a/.github/fabricbot.json b/.github/fabricbot.json deleted file mode 100644 index a6cb628f22..0000000000 --- a/.github/fabricbot.json +++ /dev/null @@ -1,1647 +0,0 @@ -[ - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "IssueCommentResponder", - "version": "1.0", - "config": { - "conditions": { - "operator": "and", - "operands": [ - { - "operator": "not", - "operands": [ - { - "name": "isOpen", - "parameters": {} - } - ] - }, - { - "name": "isAction", - "parameters": { - "action": "created" - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "operator": "not", - "operands": [ - { - "name": "noActivitySince", - "parameters": { - "days": 7 - } - } - ] - }, - { - "operator": "not", - "operands": [ - { - "name": "isCloseAndComment", - "parameters": {} - } - ] - }, - { - "name": "isActivitySender", - "parameters": { - "user": { - "type": "author" - } - } - }, - { - "name": "activitySenderHasPermissions", - "parameters": { - "permissions": "none" - } - } - ] - }, - "eventType": "issue", - "eventNames": [ - "issue_comment" - ], - "taskName": "For issues closed due to inactivity, re-open an issue if issue author posts a reply within 7 days.", - "actions": [ - { - "name": "reopenIssue", - "parameters": {} - }, - { - "name": "removeLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "removeLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "name": "addLabel", - "parameters": { - "label": "Needs: Attention :wave:" - } - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "IssueCommentResponder", - "version": "1.0", - "config": { - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "created" - } - }, - { - "operator": "not", - "operands": [ - { - "name": "isOpen", - "parameters": {} - } - ] - }, - { - "name": "activitySenderHasPermissions", - "parameters": { - "permissions": "none" - } - }, - { - "name": "noActivitySince", - "parameters": { - "days": 7 - } - }, - { - "operator": "not", - "operands": [ - { - "name": "isCloseAndComment", - "parameters": {} - } - ] - } - ] - }, - "eventType": "issue", - "eventNames": [ - "issue_comment" - ], - "taskName": "For issues closed with no activity over 7 days, ask non-contributor to consider opening a new issue instead.", - "actions": [ - { - "name": "addReply", - "parameters": { - "comment": "Hello, thank you for your comment on this issue. Because this issue has been closed for a period of time, please strongly consider opening a new issue linking to this issue instead to ensure better visibility of your comment. Thank you!" - } - } - ] - } - }, - { - "taskType": "scheduled", - "capabilityId": "ScheduledSearch", - "subCapability": "ScheduledSearch", - "version": "1.1", - "config": { - "frequency": [ - { - "weekDay": 0, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 1, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 2, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 3, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 4, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 5, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 6, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - } - ], - "searchTerms": [ - { - "name": "isClosed", - "parameters": {} - }, - { - "name": "noActivitySince", - "parameters": { - "days": 30 - } - }, - { - "name": "isUnlocked", - "parameters": {} - }, - { - "name": "isIssue", - "parameters": {} - } - ], - "taskName": "Lock issues closed without activity for over 30 days", - "actions": [ - { - "name": "lockIssue", - "parameters": { - "reason": "resolved" - } - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "IssuesOnlyResponder", - "version": "1.0", - "config": { - "taskName": "Add needs triage label to new issues", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "opened" - } - }, - { - "operator": "not", - "operands": [ - { - "name": "isPartOfProject", - "parameters": {} - } - ] - }, - { - "operator": "not", - "operands": [ - { - "name": "isAssignedToSomeone", - "parameters": {} - } - ] - } - ] - }, - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Needs: Triage :mag:" - } - } - ], - "eventType": "issue", - "eventNames": [ - "issues", - "project_card" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "IssueCommentResponder", - "version": "1.0", - "config": { - "taskName": "Replace needs author feedback label with needs attention label when the author comments on an issue", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "created" - } - }, - { - "name": "isActivitySender", - "parameters": { - "user": { - "type": "author" - } - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "name": "isOpen", - "parameters": {} - } - ] - }, - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Needs: Attention :wave:" - } - }, - { - "name": "removeLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ], - "eventType": "issue", - "eventNames": [ - "issue_comment" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "IssuesOnlyResponder", - "version": "1.0", - "config": { - "taskName": "Remove no recent activity label from issues", - "conditions": { - "operator": "and", - "operands": [ - { - "operator": "not", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "closed" - } - } - ] - }, - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ], - "eventType": "issue", - "eventNames": [ - "issues", - "project_card" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "IssueCommentResponder", - "version": "1.0", - "config": { - "taskName": "Remove no recent activity label when an issue is commented on", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ], - "eventType": "issue", - "eventNames": [ - "issue_comment" - ] - } - }, - { - "taskType": "scheduled", - "capabilityId": "ScheduledSearch", - "subCapability": "ScheduledSearch", - "version": "1.1", - "config": { - "taskName": "Close stale issues", - "frequency": [ - { - "weekDay": 0, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 1, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 2, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 3, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 4, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 5, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 6, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - } - ], - "searchTerms": [ - { - "name": "isIssue", - "parameters": {} - }, - { - "name": "isOpen", - "parameters": {} - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "noActivitySince", - "parameters": { - "days": 3 - } - } - ], - "actions": [ - { - "name": "closeIssue", - "parameters": {} - } - ] - }, - "disabled": true - }, - { - "taskType": "scheduled", - "capabilityId": "ScheduledSearch", - "subCapability": "ScheduledSearch", - "version": "1.1", - "config": { - "taskName": "Add no recent activity label to issues", - "frequency": [ - { - "weekDay": 0, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 1, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 2, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 3, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 4, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 5, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 6, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - } - ], - "searchTerms": [ - { - "name": "isIssue", - "parameters": {} - }, - { - "name": "isOpen", - "parameters": {} - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "name": "noActivitySince", - "parameters": { - "days": 5 - } - }, - { - "name": "noLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "noLabel", - "parameters": { - "label": "long term" - } - } - ], - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "addReply", - "parameters": { - "comment": "This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **5 days**." - } - } - ] - } - }, - { - "taskType": "scheduled", - "capabilityId": "ScheduledSearch", - "subCapability": "ScheduledSearch", - "version": "1.1", - "config": { - "taskName": "Close duplicate issues", - "frequency": [ - { - "weekDay": 0, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 1, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 2, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 3, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 4, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 5, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 6, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - } - ], - "searchTerms": [ - { - "name": "isIssue", - "parameters": {} - }, - { - "name": "isOpen", - "parameters": {} - }, - { - "name": "hasLabel", - "parameters": { - "label": "duplicate" - } - }, - { - "name": "noActivitySince", - "parameters": { - "days": 1 - } - } - ], - "actions": [ - { - "name": "addReply", - "parameters": { - "comment": "This issue has been marked as duplicate and has not had any activity for **1 day**. It will be closed for housekeeping purposes." - } - }, - { - "name": "closeIssue", - "parameters": {} - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "InPrLabel", - "subCapability": "InPrLabel", - "version": "1.0", - "config": { - "taskName": "Add 'In-PR' label on issue when an open pull request is targeting it", - "inPrLabelText": "Status: In PR", - "fixedLabelText": "Status: Fixed", - "fixedLabelEnabled": true - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestReviewResponder", - "version": "1.0", - "config": { - "taskName": "Add needs author feedback label to pull requests when changes are requested", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "submitted" - } - }, - { - "name": "isReviewState", - "parameters": { - "state": "changes_requested" - } - } - ] - }, - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "pull_request_review" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestResponder", - "version": "1.0", - "config": { - "taskName": "Remove needs author feedback label when the author responds to a pull request", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isActivitySender", - "parameters": { - "user": { - "type": "author" - } - } - }, - { - "operator": "not", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "closed" - } - } - ] - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "pull_request", - "issues", - "project_card" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestCommentResponder", - "version": "1.0", - "config": { - "taskName": "Remove needs author feedback label when the author comments on a pull request", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isActivitySender", - "parameters": { - "user": { - "type": "author" - } - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "issue_comment" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestReviewResponder", - "version": "1.0", - "config": { - "taskName": "Remove needs author feedback label when the author responds to a pull request review comment", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isActivitySender", - "parameters": { - "user": { - "type": "author" - } - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "pull_request_review" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestResponder", - "version": "1.0", - "config": { - "taskName": "Remove no recent activity label from pull requests", - "conditions": { - "operator": "and", - "operands": [ - { - "operator": "not", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "closed" - } - } - ] - }, - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "pull_request", - "issues", - "project_card" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestCommentResponder", - "version": "1.0", - "config": { - "taskName": "Remove no recent activity label when a pull request is commented on", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "issue_comment" - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestReviewResponder", - "version": "1.0", - "config": { - "taskName": "Remove no recent activity label when a pull request is reviewed", - "conditions": { - "operator": "and", - "operands": [ - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ] - }, - "actions": [ - { - "name": "removeLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ], - "eventType": "pull_request", - "eventNames": [ - "pull_request_review" - ] - } - }, - { - "taskType": "scheduled", - "capabilityId": "ScheduledSearch", - "subCapability": "ScheduledSearch", - "version": "1.1", - "config": { - "taskName": "Close stale pull requests", - "frequency": [ - { - "weekDay": 0, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 1, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 2, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 3, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 4, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 5, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 6, - "hours": [ - 2, - 5, - 8, - 11, - 14, - 17, - 20, - 23 - ], - "timezoneOffset": 0 - } - ], - "searchTerms": [ - { - "name": "isPr", - "parameters": {} - }, - { - "name": "isOpen", - "parameters": {} - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "name": "hasLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "noActivitySince", - "parameters": { - "days": 7 - } - } - ], - "actions": [ - { - "name": "closeIssue", - "parameters": {} - } - ] - }, - "disabled": true - }, - { - "taskType": "scheduled", - "capabilityId": "ScheduledSearch", - "subCapability": "ScheduledSearch", - "version": "1.1", - "config": { - "taskName": "Add no recent activity label to pull requests", - "frequency": [ - { - "weekDay": 0, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 1, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 2, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 3, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 4, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 5, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - }, - { - "weekDay": 6, - "hours": [ - 0, - 3, - 6, - 9, - 12, - 15, - 18, - 21 - ], - "timezoneOffset": 0 - } - ], - "searchTerms": [ - { - "name": "isPr", - "parameters": {} - }, - { - "name": "isOpen", - "parameters": {} - }, - { - "name": "hasLabel", - "parameters": { - "label": "Needs: Author Feedback" - } - }, - { - "name": "noActivitySince", - "parameters": { - "days": 7 - } - }, - { - "name": "noLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - } - ], - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Status: No Recent Activity" - } - }, - { - "name": "addReply", - "parameters": { - "comment": "This pull request has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **7 days**." - } - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "EmailCleanser", - "subCapability": "EmailCleanser", - "version": "1.0", - "config": { - "taskName": "Clean those e-mail replies" - } - }, - { - "taskType": "trigger", - "capabilityId": "AutoMerge", - "subCapability": "AutoMerge", - "version": "1.0", - "config": { - "allowAutoMergeInstructionsWithoutLabel": true, - "mergeType": "squash", - "deleteBranches": true, - "enforceDMPAsStatus": true, - "removeLabelOnPush": true, - "label": "auto merge :heavy_check_mark:", - "taskName": "Auto-merge PRs", - "requireAllStatuses": false, - "requireSpecificCheckRuns": false, - "usePrDescriptionAsCommitMessage": false, - "minMinutesOpen": "480" - }, - "disabled": true - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestResponder", - "version": "1.0", - "config": { - "conditions": { - "operator": "and", - "operands": [ - { - "name": "isAction", - "parameters": { - "action": "opened" - } - }, - { - "operator": "not", - "operands": [ - { - "name": "isPartOfProject", - "parameters": {} - } - ] - }, - { - "operator": "not", - "operands": [ - { - "name": "isAssignedToSomeone", - "parameters": {} - } - ] - } - ] - }, - "eventType": "pull_request", - "eventNames": [ - "pull_request", - "issues", - "project_card" - ], - "taskName": "Add needs triage label to new PRs", - "actions": [ - { - "name": "addLabel", - "parameters": { - "label": "Needs: Triage :mag:" - } - } - ] - } - }, - { - "taskType": "trigger", - "capabilityId": "IssueResponder", - "subCapability": "PullRequestResponder", - "version": "1.0", - "config": { - "conditions": { - "operator": "and", - "operands": [ - { - "name": "prIncludesModifiedFile", - "parameters": { - "pathFilter": "eslzArm/eslz-portal.json" - } - }, - { - "name": "prTargetsBranch", - "parameters": { - "branchName": "main" - } - }, - { - "name": "labelRemoved", - "parameters": { - "label": "Needs: Triage :mag:" - } - } - ] - }, - "eventType": "pull_request", - "eventNames": [ - "pull_request", - "issues", - "project_card" - ], - "taskName": "Ask Jeff to review Portal Changes", - "actions": [ - { - "name": "requestReviewer", - "parameters": { - "reRequest": true, - "reviewer": "JefferyMitchell", - "groupId": "" - } - } - ] - } - } -] \ No newline at end of file diff --git a/.github/policies/resourceManagement.yml b/.github/policies/resourceManagement.yml new file mode 100644 index 0000000000..599d1ce35c --- /dev/null +++ b/.github/policies/resourceManagement.yml @@ -0,0 +1,181 @@ +id: +name: GitOps.PullRequestIssueManagement +description: GitOps.PullRequestIssueManagement primitive +owner: +resource: repository +disabled: false +where: +configuration: + resourceManagementConfiguration: + scheduledSearches: + - description: + frequencies: + - hourly: + hour: 3 + filters: + - isIssue + - isOpen + - hasLabel: + label: 'Needs: Author Feedback' + - noActivitySince: + days: 5 + - isNotLabeledWith: + label: 'Status: No Recent Activity' + - isNotLabeledWith: + label: long term + actions: + - addLabel: + label: 'Status: No Recent Activity' + - addReply: + reply: This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **5 days**. + - description: + frequencies: + - hourly: + hour: 3 + filters: + - isIssue + - isOpen + - hasLabel: + label: duplicate + - noActivitySince: + days: 1 + actions: + - addReply: + reply: This issue has been marked as duplicate and has not had any activity for **1 day**. It will be closed for housekeeping purposes. + - closeIssue + - description: + frequencies: + - hourly: + hour: 3 + filters: + - isPullRequest + - isOpen + - hasLabel: + label: 'Needs: Author Feedback' + - noActivitySince: + days: 7 + - isNotLabeledWith: + label: 'Status: No Recent Activity' + actions: + - addLabel: + label: 'Status: No Recent Activity' + - addReply: + reply: This pull request has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **7 days**. + eventResponderTasks: + - if: + - payloadType: Issue_Comment + - isAction: + action: Created + - isActivitySender: + issueAuthor: True + - hasLabel: + label: 'Needs: Author Feedback' + - isOpen + then: + - addLabel: + label: 'Needs: Attention :wave:' + - removeLabel: + label: 'Needs: Author Feedback' + description: + - if: + - payloadType: Issues + - not: + isAction: + action: Closed + - hasLabel: + label: 'Status: No Recent Activity' + then: + - removeLabel: + label: 'Status: No Recent Activity' + description: + - if: + - payloadType: Issue_Comment + - hasLabel: + label: 'Status: No Recent Activity' + then: + - removeLabel: + label: 'Status: No Recent Activity' + description: + - if: + - payloadType: Pull_Request + then: + - inPrLabel: + label: 'Status: In PR' + description: + - if: + - payloadType: Pull_Request_Review + - isAction: + action: Submitted + - isReviewState: + reviewState: Changes_requested + then: + - addLabel: + label: 'Needs: Author Feedback' + description: + - if: + - payloadType: Pull_Request + - isActivitySender: + issueAuthor: True + - not: + isAction: + action: Closed + - hasLabel: + label: 'Needs: Author Feedback' + then: + - removeLabel: + label: 'Needs: Author Feedback' + description: + - if: + - payloadType: Issue_Comment + - isActivitySender: + issueAuthor: True + - hasLabel: + label: 'Needs: Author Feedback' + then: + - removeLabel: + label: 'Needs: Author Feedback' + description: + - if: + - payloadType: Pull_Request_Review + - isActivitySender: + issueAuthor: True + - hasLabel: + label: 'Needs: Author Feedback' + then: + - removeLabel: + label: 'Needs: Author Feedback' + description: + - if: + - payloadType: Pull_Request + - not: + isAction: + action: Closed + - hasLabel: + label: 'Status: No Recent Activity' + then: + - removeLabel: + label: 'Status: No Recent Activity' + description: + - if: + - payloadType: Issue_Comment + - hasLabel: + label: 'Status: No Recent Activity' + then: + - removeLabel: + label: 'Status: No Recent Activity' + description: + - if: + - payloadType: Pull_Request_Review + - hasLabel: + label: 'Status: No Recent Activity' + then: + - removeLabel: + label: 'Status: No Recent Activity' + description: + - if: + - payloadType: Issue_Comment + then: + - cleanEmailReply + description: +onFailure: +onSuccess: diff --git a/.github/workflows/check-policy-build.yml b/.github/workflows/check-policy-build.yml new file mode 100644 index 0000000000..322607cf9c --- /dev/null +++ b/.github/workflows/check-policy-build.yml @@ -0,0 +1,51 @@ +--- + name: Check Policy Build + + ########################################## + # Start the job on PR for all branches # + ########################################## + + # yamllint disable-line rule:truthy + on: + pull_request: + types: + - opened + - reopened + - synchronize + - ready_for_review + paths: + - "eslzArm/**.json" + - "src/Alz.Tools/**" + - "src/**.json" + - "src/**.bicep" + + ############### + # Set the Job # + ############### + + jobs: + check-policy: + name: Check Policy Build + runs-on: ubuntu-latest + + steps: + - name: Check out repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check build + shell: pwsh + run: | + Import-Module Pester -Force + $pesterConfiguration = @{ + Run = @{ + Container = New-PesterContainer -Path "./.github/actions-pester/Test-BuildPolicies.Tests.ps1" + PassThru = $true + } + Output = @{ + Verbosity = 'Detailed' + } + } + $result = Invoke-Pester -Configuration $pesterConfiguration + exit $result.FailedCount \ No newline at end of file diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index aa669ee1b0..baeb83d33e 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -10,6 +10,7 @@ on: pull_request: branches: - main + - policy-refresh workflow_dispatch: {} ############### @@ -29,8 +30,8 @@ jobs: - name: Lint eslzArm directory uses: docker://github/super-linter:v4.9.5 env: - # Lint all code - VALIDATE_ALL_CODEBASE: true + # Only lint changed files + VALIDATE_ALL_CODEBASE: false # Need to define main branch as default # is set to master in super-linter DEFAULT_BRANCH: main @@ -50,8 +51,8 @@ jobs: - name: Lint src directory uses: docker://github/super-linter:v4.9.5 env: - # Lint all code - VALIDATE_ALL_CODEBASE: true + # Only lint changed files + VALIDATE_ALL_CODEBASE: false # Need to define main branch as default # is set to master in super-linter DEFAULT_BRANCH: main diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..3be0fd2175 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 1 * * 4' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test-portal.yml b/.github/workflows/test-portal.yml index 574b78f6f6..527cb34412 100644 --- a/.github/workflows/test-portal.yml +++ b/.github/workflows/test-portal.yml @@ -25,6 +25,8 @@ env: GITHUB_PR_ID: ${{ github.event.pull_request.id }} TEMP_SUBSCRIPTIONS_JSON_PATH: "./src/data/subscriptions.json" TEMP_DEPLOYMENT_OBJECT_PATH: "./src/data/eslzArm.test.deployment.json" + POLICY_DIR: "src/resources/Microsoft.Authorization/policyDefinitions" + POLICYSET_DIR: "src/resources/Microsoft.Authorization/policySetDefinitions" permissions: contents: read @@ -42,11 +44,30 @@ jobs: name: Test Portal Experience runs-on: ubuntu-latest environment: csu-rw + if: | + ( + github.event.pull_request.head.repo.full_name == 'Azure/Enterprise-Scale' + ) + || + ( + github.event.pull_request.head.repo.full_name != 'Azure/Enterprise-Scale' + && + contains(github.event.pull_request.labels.*.name, 'PR: Safe to test :test_tube:') + ) + || + ( + github.event_name == 'workflow_dispatch' + ) + || + ( + github.event_name == 'merge_group' + ) steps: - name: Check out repository uses: actions/checkout@v3 with: + fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false @@ -60,24 +81,12 @@ jobs: azPSVersion: "latest" - name: Azure login (OIDC) - uses: azure/login@v1 - if: ${{ success() && env.AZURE_CLIENT_SECRET == '' }} + uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true - env: - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - - - name: Azure login (Client Secret) - uses: azure/login@v1 - if: ${{ success() && env.AZURE_CLIENT_SECRET != '' }} - with: - creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' - enable-AzPSSession: true - env: - AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - name: Register subscriptions uses: azure/powershell@v1 @@ -124,6 +133,22 @@ jobs: inlineScript: ./src/scripts/Invoke-ActionRunEslzArmDeployment.ps1 azPSVersion: "latest" + - name: Install PowerShell modules + shell: pwsh + run: | + Install-Module -Name "Az" -RequiredVersion "10.1.0" -Force -Scope CurrentUser -ErrorAction Stop + Update-AzConfig -DisplayBreakingChangeWarning $false + + - name: Pester Test for Policies + uses: azure/powershell@v1 + with: + inlineScript: ./.github/actions-pester/PTF-TestPolicies.ps1 + azPSVersion: "latest" + env: + SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }} + SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering) + TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + - name: Run eslzArm deployment (DESTROY) uses: azure/powershell@v1 with: diff --git a/.github/workflows/unit-test-policies.yml b/.github/workflows/unit-test-policies.yml new file mode 100644 index 0000000000..6a8320a630 --- /dev/null +++ b/.github/workflows/unit-test-policies.yml @@ -0,0 +1,48 @@ +name: Unit Test Policies + +########################################## +# Start the job on PR for all branches # +########################################## + +# yamllint disable-line rule:truthy +on: + pull_request: + types: + - opened + - reopened + - synchronize + - ready_for_review + paths: + - "src/resources/Microsoft.Authorization/policyDefinitions/**.json" + - "src/resources/Microsoft.Authorization/policySetDefinitions/**.json" + workflow_dispatch: {} + +env: + POLICY_DIR: "src/resources/Microsoft.Authorization/policyDefinitions" + POLICYSET_DIR: "src/resources/Microsoft.Authorization/policySetDefinitions" + +jobs: + validate-policy-files: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + - name: Pester Test for Modified Policies + shell: pwsh + run: | + Import-Module Pester -Force + $pesterConfiguration = @{ + Run = @{ + Container = New-PesterContainer -Path "./.github/actions-pester/Test-ModifiedPolicies.Tests.ps1" + PassThru = $true + } + Output = @{ + Verbosity = 'Detailed' + } + } + $result = Invoke-Pester -Configuration $pesterConfiguration + exit $result.FailedCount diff --git a/.github/workflows/update-alz-tools.yml b/.github/workflows/update-alz-tools.yml index 5aa54efc94..35fb0b6426 100644 --- a/.github/workflows/update-alz-tools.yml +++ b/.github/workflows/update-alz-tools.yml @@ -81,7 +81,7 @@ jobs: run: | mapfile -t CHECK_GIT_STATUS < <(git status -s) printf "%s\n" "${CHECK_GIT_STATUS[@]}" - echo "::set-output name=changes::${#CHECK_GIT_STATUS[@]}" + echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT" - name: Add files, commit and push if: steps.git_status.outputs.changes > 0 diff --git a/.github/workflows/update-portal.yml b/.github/workflows/update-portal.yml deleted file mode 100644 index 93599fa304..0000000000 --- a/.github/workflows/update-portal.yml +++ /dev/null @@ -1,104 +0,0 @@ ---- -name: Update Portal Experience - -########################################## -# Start the job on push for all branches # -########################################## - -# yamllint disable-line rule:truthy -on: - pull_request_target: - types: - - opened - - reopened - - synchronize - - ready_for_review - paths: - - "eslzArm/**.json" - - "src/Alz.Tools/**" - - "src/**.json" - - "src/**.bicep" - -env: - github_user_name: "github-actions" - github_email: "41898282+github-actions[bot]@users.noreply.github.com" - github_commit_message: "Auto-update Portal experience" - github_pr_number: ${{ github.event.number }} - github_pr_repo: ${{ github.event.pull_request.head.repo.full_name }} - -permissions: - contents: write - -############### -# Set the Job # -############### - -jobs: - update-portal: - name: Update Portal Experience - runs-on: ubuntu-latest - - steps: - - name: Check out repository - uses: actions/checkout@v3 - - - name: Show env - run: env | sort - - - name: Check out PR - run: | - echo "==> Check out PR..." - gh pr checkout "$github_pr_number" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Configure local git - run: | - echo "git user name : $github_user_name" - git config --global user.name "$github_user_name" - echo "git user email : $github_email" - git config --global user.email "$github_email" - - - name: Update policies - run: bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json - - - name: Update roles - run: bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json - - - name: Check git status - run: | - echo "==> Check git status..." - git status --short --branch - - - name: Stage changes - run: | - echo "==> Stage changes..." - mapfile -t STATUS_LOG < <(git status --short | grep eslzArm/) - if [ ${#STATUS_LOG[@]} -gt 0 ]; then - echo "Found changes to the following files:" - printf "%s\n" "${STATUS_LOG[@]}" - git add --all ./eslzArm - else - echo "No changes to add." - fi - - - name: Push changes - run: | - echo "==> Check git diff..." - mapfile -t GIT_DIFF < <(git diff --cached) - printf "%s\n" "${GIT_DIFF[@]}" - - if [ ${#GIT_DIFF[@]} -gt 0 ]; then - - echo "==> Commit changes..." - git commit --message "$github_commit_message [$GITHUB_ACTOR/${GITHUB_SHA::8}]" - - echo "==> Push changes..." - echo "Pushing changes to: $github_pr_repo" - git push "https://$GITHUB_TOKEN@github.com/$github_pr_repo.git" "HEAD:$GITHUB_HEAD_REF" - - else - echo "No changes found." - fi - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml index 10231d32ae..f0b0ac0152 100644 --- a/.github/workflows/wiki-sync.yml +++ b/.github/workflows/wiki-sync.yml @@ -23,15 +23,18 @@ jobs: name: Sync docs/wiki to Wiki if: github.repository == 'Azure/Enterprise-Scale' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest + permissions: + contents: write + steps: - name: Checkout Source Repo - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: repository: ${{ env.wiki_source_repo }} path: ${{ env.wiki_source_repo }} - name: Checkout Wiki Repo - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: repository: ${{ env.wiki_target_repo }} path: ${{ env.wiki_target_repo }} diff --git a/.gitignore b/.gitignore index 556fdfcbd8..a025691888 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,5 @@ # GitHub Super Linter super-linter.log + +src/data/eslzArm.test.deployment.json diff --git a/README.md b/README.md index 5dd2c37f7e..221e36c0de 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,8 @@ -# Enterprise-Scale - Reference Implementation +# Azure Landing Zones (Enterprise-Scale) - Reference Implementation [![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/azure/enterprise-scale.svg)](http://isitmaintained.com/project/azure/enterprise-scale "Average time to resolve an issue") [![Percentage of issues still open](http://isitmaintained.com/badge/open/azure/enterprise-scale.svg)](http://isitmaintained.com/project/azure/enterprise-scale "Percentage of issues still open") +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Azure/Enterprise-Scale/badge)](https://scorecard.dev/viewer/?uri=github.com/Azure/Enterprise-Scale) ## User documentation @@ -11,21 +12,21 @@ To find out more about the Azure landing zones reference implementation, please ## Objective -The Enterprise-Scale architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture. It will continue to evolve alongside the Azure platform and is ultimately defined by the various design decisions that organizations must make to define their Azure journey. +The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture. It will continue to evolve alongside the Azure platform and is ultimately defined by the various design decisions that organizations must make to define their Azure journey. -The Enterprise-Scale architecture is modular by design and allows organizations to start with foundational landing zones that support their application portfolios, and the architecture enables organizations to start as small as needed and scale alongside their business requirements regardless of scale point. +The Azure Landing Zones (Enterprise-Scale) architecture is modular by design and allows organizations to start with foundational landing zones that support their application portfolios, and the architecture enables organizations to start as small as needed and scale alongside their business requirements regardless of scale point. ![Animated image showing the modularity of Azure landing zones](./docs/wiki/media/ESLZ.gif) --- -_The Enterprise-Scale architecture represents the strategic design path and target technical state for your Azure environment._ +_The Azure Landing Zones (Enterprise-Scale) architecture represents the strategic design path and target technical state for your Azure environment._ --- Not all enterprises adopt Azure in the same way, so the Enterprise-Scale architecture may vary between customers. Ultimately, the technical considerations and design recommendations of the Enterprise-Scale architecture may lead to different trade-offs based on the customer's scenario. Some variation is expected, but if core recommendations are followed, the resulting target architecture will put the customer on a path to sustainable scale. -The Enterprise-Scale reference implementations in this repository are intended to support Enterprise-Scale Azure adoption and provides prescriptive guidance based on authoritative design for the Azure platform as a whole. +The Azure Landing Zones (Enterprise-Scale) reference implementations in this repository are intended to support Enterprise-Scale Azure adoption and provides prescriptive guidance based on authoritative design for the Azure platform as a whole. | Key customer landing zone requirement | Enterprise-Scale reference implementations | |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -35,33 +36,31 @@ The Enterprise-Scale reference implementations in this repository are intended t | Be aligned with cloud provider’s platform roadmap | Yes | | UI Experience and simplified setup | Yes, Azure portal | | All critical services are present and properly configured according to recommend best practices for identity & access management, governance, security, network and logging | Yes, using a multi-subscription design, aligned with Azure platform roadmap | -| Automation capabilities (IaC/DevOps) | Yes: ARM, Policy, GitHub/Azure DevOps CI/CD pipeline option included | +| Automation capabilities (IaC/DevOps) | Yes: ARM, Policy, Bicep and Terraform Modules | | Provides long-term self-sufficiency | Yes, enterprise-scale architecture -> 1:N landing zones. Approach & architecture prepare the customer for long-term self-sufficiency, the RIs are there to get you started | | Enables migration velocity across the organization | Yes, enterprise-scale architecture -> 1:N landing zones, Architecture includes designs for segmentation and separation of duty to empower teams to act within appropriate landing zones | | Achieves operational excellence | Yes. Enables autonomy for platform and application teams with a policy driven governance and management | ## Conditions for success -To fully leverage this reference implementation in this repository, readers must have a collaborative engagement with key customer stakeholders across critical technical domains, such as identity, security, and networking. Ultimately, the success of cloud adoption hinges on cross-discipline cooperation within the organization, since key requisite Enterprise-Scale design decisions are cross cutting, and to be authoritative must involve domain Subject Matter Expertise (SME) and stakeholders within the customer. It is crucial that the organization has defined their [Enterprise-Scale Architecture](./docs/EnterpriseScale-Architecture.md) following the design principles and critical design areas. +To fully leverage this reference implementation in this repository, readers must have a collaborative engagement with key customer stakeholders across critical technical domains, such as identity, security, and networking. Ultimately, the success of cloud adoption hinges on cross-discipline cooperation within the organization, since key requisite Enterprise-Scale design decisions are cross cutting, and to be authoritative must involve domain Subject Matter Expertise (SME) and stakeholders within the customer. It is crucial that the organization has defined their [Azure Landing Zones (Enterprise-Scale) Architecture](./docs/EnterpriseScale-Architecture.md) following the design principles and critical design areas. -It is also assumed that readers have a broad understanding of key Azure constructs and services in order to fully contextualize the prescriptive recommendations contained within Enterprise-Scale. +It is also assumed that readers have a broad understanding of key Azure constructs and services in order to fully contextualize the prescriptive recommendations contained within Azure Landing Zones (Enterprise-Scale). -## Deploying Enterprise-Scale Architecture in your own environment +## Deploying Azure Landing Zones (Enterprise-Scale Architecture) in your own environment -The Enterprise-Scale architecture is modular by design and allows customers to start with foundational Landing Zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture can scale alongside the customer's business requirements regardless of scale point. In this repository we are providing the following five templates representing different scenarios composed using ARM templates. +The Azure Landing Zones (Enterprise-Scale Architecture) is modular by design and allows customers to start with foundational Landing Zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture can scale alongside the customer's business requirements regardless of scale point. In this repository we are providing the following five templates representing different scenarios composed using ARM templates. -| Reference implementation | Description | ARM Template | Link | -|:-------------------------|:-------------|:-------------|------| -| Contoso | On-premises connectivity using Azure vWAN |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](./docs/reference/contoso/Readme.md) | -| AdventureWorks | On-premises connectivity with Hub & Spoke |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](./docs/reference/adventureworks/README.md) | -| WingTip | Azure without hybrid connectivity |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](./docs/reference/wingtip/README.md) | -| Trey Research | On-premises connectivity with Hub and Spoke for small Enterprises | [![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fdocs%2Freference%2Ftreyresearch%2FarmTemplates%2Fes-lite.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fdocs%2Freference%2Ftreyresearch%2FarmTemplates%2Fportal-es-lite.json) | [Detailed description](./docs/reference/treyresearch/README.md) | -| Azure Gov | Reference implementation that can be deployed to Azure gov and includes all options in a converged experience | [![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Ffairfaxeslz-portal.json) | N/A +[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://aka.ms/alz/portal) -> The Bicep version is now available in Public Preview here: [https://github.com/Azure/ALZ-Bicep](https://github.com/Azure/ALZ-Bicep) +You can find all of the implementation options for Azure Landing Zones here: [aka.ms/alz/aac](https://aka.ms/alz/aac#platform) + +## Azure Landing Zones Roadmap + +The Azure Landing Zones (Enterprise-Scale) architecture is continuously updated to align with advancements in the Azure platform and insights from customer feedback. For detailed information on future updates, please refer to the roadmap at: [Azure Landing Zones Roadmap](https://aka.ms/alz/roadmap) ## Contributing diff --git a/SUPPORT.md b/SUPPORT.md index 753aa9dcac..97f5af50ac 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -2,7 +2,7 @@ ## Microsoft Support Policy -If issues are encountered when deploying these reference implementations users will be able to engage Microsoft support via their usual channels. Please provide corelation IDs where possible when contacting support to be able to investigate issue effectively and in timely fashion. For instruction on how to get deployments and correlation ID, please follow this link [here](https://learn.microsoft.com/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal#get-deployments-and-correlation-id). +If issues are encountered when deploying these reference implementations users will be able to engage Microsoft support via their usual channels. Please provide correlation IDs where possible when contacting support to be able to investigate issue effectively and in timely fashion. For instruction on how to get deployments and correlation ID, please follow this link [here](https://learn.microsoft.com/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal#get-deployments-and-correlation-id). Following list of issues are within the scope of Microsoft support: diff --git a/docs/EnterpriseScale-Setup-aad-permissions.md b/docs/EnterpriseScale-Setup-aad-permissions.md index d6f81da1a8..087ff41c02 100644 --- a/docs/EnterpriseScale-Setup-aad-permissions.md +++ b/docs/EnterpriseScale-Setup-aad-permissions.md @@ -1,3 +1,3 @@ # This page has moved to our Wiki -Please refer to [Configure Azure Active Directory permissions for Service Principal](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) +Please refer to [Configure Microsoft Entra permissions for Service Principal](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) diff --git a/docs/reference/Readme.md b/docs/reference/Readme.md index 651b028bdb..51b3852c1b 100644 --- a/docs/reference/Readme.md +++ b/docs/reference/Readme.md @@ -36,8 +36,8 @@ Networking: IAM -1) Create Azure AD Group for Subscriptions access -2) Create Azure AD PIM Entitlement for the scope +1) Create Microsoft Entra Group for Subscriptions access +2) Create Microsoft Entra PIM Entitlement for the scope # File -> New -> Sandbox diff --git a/docs/reference/adventureworks/README.md b/docs/reference/adventureworks/README.md index b85b7e7931..0324c3aed4 100644 --- a/docs/reference/adventureworks/README.md +++ b/docs/reference/adventureworks/README.md @@ -25,10 +25,10 @@ Please refer to the [Enterprise-Scale Landing Zones User Guide](https://github.c If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-premise applications to Azure that requires hybrid connectivity, you will simply create the **Connectivity** Subscription, place it into the **Platform > Connectivity** Management Group and assign Azure Policy for the hub and spoke network topology. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. -See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ### Optional prerequisites @@ -59,7 +59,6 @@ By default, all recommendations are enabled and you must explicitly disable them - Azure Security Center (Standard or Free tier) - Azure Sentinel - Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics -- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git. - An Azure subscription dedicated for **connectivity**, which deploys core Azure networking resources such as: - A hub virtual network - Azure Firewall (optional - deployment across Availability Zones) diff --git a/docs/reference/azpol.md b/docs/reference/azpol.md index df02557dac..220c995a5f 100644 --- a/docs/reference/azpol.md +++ b/docs/reference/azpol.md @@ -31,9 +31,9 @@ A custom ESLZ Policy Initiative specifically fo SQL Databases helps implement fo ### Encrypt SQL data at rest -SQL database and its backups are prone to risks of getting into hands of malicious actors. It's very easy to restore SQL database from either database files or backup. Without proper defence system in place, malicious actors can have access to all the data. +SQL database and its backups are prone to risks of getting into hands of malicious actors. It's very easy to restore SQL database from either database files or backup. Without proper defense system in place, malicious actors can have access to all the data. -Ensuring that SQL database is encrypted at rest is one of the first steps towards building SQL database defence strategy. Azure SQL database Transparent Data Encryption (TDE) ensures that data is encrypted at rest without needing any application code level change. +Ensuring that SQL database is encrypted at rest is one of the first steps towards building SQL database defense strategy. Azure SQL database Transparent Data Encryption (TDE) ensures that data is encrypted at rest without needing any application code level change. A SQL database with TDE enabled makes it hard for malicious actors to get access to data it holds even if its compromised. @@ -161,7 +161,7 @@ Inability to identify and visualize relationship between Azure platform, Azure s Azure Monitor Logs along with Azure Log Analytics Workspace help enterprises in dealing with critical conditions using Alerts. Combined together, Azure Monitor Logs and Log Analytics Workspace, empower enterprises to visualize and interact with rich set of log information through dashboards, workbooks and Power BI. Enterprises can use Azure Monitor Logs and Log Analytics Workspace together to configure auto-scaling on VMs to automatically adding or removing instances. -A custom ESLZ policy helps in configuring Log Analytics Workspace with Azure Monitor. This policy deploys pre-packaged dashboard reports referred as Azure Monitor Solutions for specific Azure services such as Azure SQL Database or Azure Active Directory. It also configures data sources such as Linux and Windows VM Performance metrics with Azure Monitor. +A custom ESLZ policy helps in configuring Log Analytics Workspace with Azure Monitor. This policy deploys pre-packaged dashboard reports referred as Azure Monitor Solutions for specific Azure services such as Azure SQL Database or Microsoft Entra ID. It also configures data sources such as Linux and Windows VM Performance metrics with Azure Monitor. ## Enable Log Storage and Querying diff --git a/docs/reference/contoso/Readme.md b/docs/reference/contoso/Readme.md index dbbe905d8e..df141ab03b 100644 --- a/docs/reference/contoso/Readme.md +++ b/docs/reference/contoso/Readme.md @@ -22,10 +22,10 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A If customer started with a Enterprise-Scale foundation deployment, and if the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, you will simply create the **Connectivity** Subscription and place it into the **Platform > Connectivity** Management Group and assign Azure Policy for the VWAN network topology. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. -See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ### Optional prerequisites @@ -54,7 +54,6 @@ The rest of the options across the different blades will depend on your environm - Azure Security Center (Standard or Free tier) - Azure Sentinel - Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics -- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git. - An Azure Subscription dedicated for **connectivity**, which deploys core Azure networking resources such as: - Azure VWAN - VWAN Hub diff --git a/docs/reference/treyresearch/README.md b/docs/reference/treyresearch/README.md index 07d35adcd1..0db7f5dbdf 100644 --- a/docs/reference/treyresearch/README.md +++ b/docs/reference/treyresearch/README.md @@ -20,9 +20,10 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A If the business requirements change over time, the architecture allows for creating additional subscriptions and placing them into the suitable management group and assigning Azure policies. For more details, see the next steps section at the end of this document. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Azure Active Directory Tenant root. See the following [instructions](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) on how to grant access before you proceed. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. ## Optional pre-requisites @@ -72,6 +73,8 @@ By default, all recommendations are enabled. You must explicitly disable them if - Enforce encryption for Azure SQL - Enforce auditing for Azure SQL - Enforce secure access (HTTPS) to storage accounts + + **Note:** You may notice the creation of different *managed identities* after deploying the policies described above. This is because a policy with effect *deployIfNotExists (DINE) or modify* will be enforced when enabling a recommendation. These kind of policy effects use managed identities in order to remediate resources that are not compliant. To learn more about what policies are included in ALZ reference implementations, refer to [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies). ![Trey Research](./media/es-lite.png) diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json b/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json index 4f47621256..511f5711f9 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json @@ -107,6 +107,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -147,10 +151,12 @@ "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azFwIpName": "[concat(variables('azFwName'), '-pip')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", @@ -347,7 +353,20 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", @@ -357,6 +376,7 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": false, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "[parameters('vpnGwType')]", @@ -396,6 +416,70 @@ } } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": true, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "[parameters('vpnGwType')]", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json index 1fc396dfa9..f1bac4a737 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json @@ -14665,8 +14665,8 @@ }, { "properties": { - "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", - "displayName": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", "mode": "Indexed", "parameters": { "logAnalytics": { @@ -14831,8 +14831,8 @@ }, { "properties": { - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", - "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", "mode": "Indexed", "parameters": { "logAnalytics": { @@ -14989,8 +14989,8 @@ }, { "properties": { - "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", - "displayName": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", "mode": "Indexed", "parameters": { "logAnalytics": { @@ -18827,8 +18827,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" } }, "WVDWorkspaceLogAnalyticsEffect": { @@ -18839,8 +18839,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" } }, "WVDHostPoolsLogAnalyticsEffect": { @@ -18851,8 +18851,8 @@ "Disabled" ], "metadata": { - "displayName": "Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" } }, "StorageAccountsLogAnalyticsEffect": { @@ -20267,9 +20267,10 @@ }, "SqlServerTDECMKEffect": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Audit", "allowedValues": [ - "AuditIfNotExists", + "Audit", + "Deny", "Disabled" ], "metadata": { @@ -20421,7 +20422,7 @@ } }, { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", "policyDefinitionReferenceId": "SqlServerTDECMKEffect", "parameters": { "effect": { @@ -20502,18 +20503,6 @@ "description": "App Service. Select version minimum TLS version for a Web App config to enforce" } }, - "APIAppServiceLatestTlsEffect": { - "metadata": { - "displayName": "App Service API App. Latest TLS version should be used in your API App", - "description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ] - }, "APIAppServiceHttpsEffect": { "metadata": { "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", @@ -20848,15 +20837,6 @@ } } }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", - "policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect", - "parameters": { - "effect": { - "value": "[[parameters('APIAppServiceLatestTlsEffect')]" - } - } - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", "policyDefinitionReferenceId": "FunctionLatestTlsEffect", diff --git a/docs/reference/treyresearch/armTemplates/es-lite.json b/docs/reference/treyresearch/armTemplates/es-lite.json index 4a197ab0d9..c6babdfddf 100644 --- a/docs/reference/treyresearch/armTemplates/es-lite.json +++ b/docs/reference/treyresearch/armTemplates/es-lite.json @@ -350,6 +350,14 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -825,6 +833,9 @@ "gwRegionalOrAz": { "value": "[parameters('gwRegionalOrAz')]" }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, "gwAzSku": { "value": "[parameters('gwAzSku')]" }, diff --git a/docs/reference/treyresearch/armTemplates/es-portal.json b/docs/reference/treyresearch/armTemplates/es-portal.json index eb35638fa7..97330689c6 100644 --- a/docs/reference/treyresearch/armTemplates/es-portal.json +++ b/docs/reference/treyresearch/armTemplates/es-portal.json @@ -534,7 +534,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy zone redundant or regional VPN Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -549,6 +549,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -558,7 +578,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth'))))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -594,7 +614,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -630,7 +650,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -694,7 +714,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy zone redundant or regional ExpressRoute Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -718,7 +738,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -749,7 +769,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -780,7 +800,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth'))))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -850,7 +870,7 @@ "multiselect": true, "selectAll": true, "filter": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", "constraints": { "required": true, @@ -1254,6 +1274,7 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "enableVpnActiveActive": "[steps('esConnectivityGoalState').enableVpnActiveActive]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", diff --git a/docs/reference/treyresearch/armTemplates/portal-es-lite.json b/docs/reference/treyresearch/armTemplates/portal-es-lite.json index cc28b9e4a8..06e4dc90b9 100644 --- a/docs/reference/treyresearch/armTemplates/portal-es-lite.json +++ b/docs/reference/treyresearch/armTemplates/portal-es-lite.json @@ -525,7 +525,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy zone redundant or regional VPN Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -540,6 +540,26 @@ ] } }, + { + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", @@ -549,7 +569,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth'))))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -585,7 +605,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -621,7 +641,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -685,7 +705,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy zone redundant or regional ExpressRoute Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -709,7 +729,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -740,7 +760,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -771,7 +791,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth'))))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -841,7 +861,7 @@ "multiselect": true, "selectAll": true, "filter": true, - "visible": "[and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "visible": "[and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'),equals(steps('esConnectivityGoalState').esNwLocation,'italynorth')))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", "constraints": { "required": true, @@ -1243,6 +1263,7 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "enableVpnActiveActive": "[steps('esConnectivityGoalState').enableVpnActiveActive]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", diff --git a/docs/reference/wingtip/README.md b/docs/reference/wingtip/README.md index 205bd4ffcb..1364b45a71 100644 --- a/docs/reference/wingtip/README.md +++ b/docs/reference/wingtip/README.md @@ -17,12 +17,12 @@ Please refer to [Enterprise-Scale Landing Zones User Guide](https://github.com/A If the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, the architecture allows you to expand and implement networking without refactoring Azure Design with no disruption to what is already in Azure. The Enterprise-Scale architecture allows to create the Connectivity Subscription and place it into the platform Management Group and assign Azure Policies or/and deploy the target networking topology using either Virtual WAN or Hub and Spoke networking topology. For more details, see the *next steps* section at the end of this document. -## Pre-requisites +## Prerequisites -To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. -See the following [instructions](../../EnterpriseScale-Setup-azure.md) on how to grant access before you proceed. +To deploy this ARM template, there are a number of prerequisites that must be met. +See [here](../../wiki/Deploying-ALZ-Pre-requisites.md) for more details. -### Optional pre-requsites +### Optional pre-requisites The deployment experience in Azure portal allows you to bring in an existing (preferably empty) subscription dedicated for platform management, and an existing subscription that can be used as the initial landing zone for your applications. @@ -63,7 +63,6 @@ By default, all recommendations are enabled, and you must explicitly disable the - Azure Sentinel - Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics - (Optionally) An Azure subscription dedicated for Identity in case your organization requires to have Active Directory Domain Controllers in a dedicated subscription. -- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git. - Landing Zone Management Group for Online applications that will be internet-facing, where a virtual network is optional and hybrid connectivity is not required. - This is where you will create your Subscriptions that will host your online workloads. - Landing zone subscriptions for Azure native, internet-facing Online applications and resources. diff --git a/docs/wiki/ALZ-AMA-FAQ.md b/docs/wiki/ALZ-AMA-FAQ.md new file mode 100644 index 0000000000..c7585a0b1d --- /dev/null +++ b/docs/wiki/ALZ-AMA-FAQ.md @@ -0,0 +1,47 @@ +## In this Section + +- [What to do if you have a need for a feature that is not in AMA, not GA, and not available in an alternative solution?](#What-to-do-if-you-have-a-need-for-a-feature-that-is-not-in-AMA,-not-GA,-and-not-available-in-an-alternative-solution?) +- [Migration guidance for existing customers?](#Migration-guidance-for-existing-customers?) + +- [Why do I need an User-Assigned Managed Identity?](#Why-do-I-need-a-User-Assigned-Managed-Identity?) +- [Why do I need Data Collection Rules?](#Why-do-I-need-Data-Collection-Rules?) +- [Custom Policies and Assignments](#Custom-Policies-and-Assignments) +- [MMA deprecation vs Legacy Solutions in Log Analytics Workspace](#MMA-deprecation-and-Legacy-Solutions-in-Log-Analytics-Workspace) + +--- + +## What to do if you have a need for a feature that is not in AMA, not GA, and not available in an alternative solution? + +The ALZ team will assess solutions for parity ongoing. Please review the AMA parity Gaps table [here](./ALZ-AMA-Update#table-ama-parity-status) for the latest updates and guidance. + +If you have any additional questions or concerns, please do not hesitate to raise a support ticket for further assistance. + +## Migration guidance for existing customers? + +Currently the ALZ Portal Accelerator Deployment has been updated. Brownfield migration guidance and Bicep and Terraform updates are to follow in short-term. + +## Why do I need a User-Assigned Managed Identity? + +Managed identity must be enabled on Azure virtual machines, as this is required for authentication. + +A user-assigned Managed identity is recommended for large-scale deployments, as you can create a user-assigned managed identity once and share it across multiple VMs, which means it's more scalable than a system-assigned managed identity. If you use a user-assigned managed identity, you must pass the managed identity details to Azure Monitor Agent via extension settings, which we do automatically through ARM/ Policy. Running the ALZ Portal Accelerator will create a User Assigned Managed Identity for each subscription that was selected. + +## Why do I need Data Collection Rules? + +A data collection rule (DCR) is a configuration that defines the data collection process in Azure Monitor. A DCR specifies what data should be collected and where to send that data. As part of the current deployment 3 DCRs are created to collect data for VM Insights, Change Tracking and Defender for SQL. + +## Custom Policies and Assignments + +Our intention is to use Built-in Policies, however there are scenarios where custom policies are deployed to provide additional flexibility. For example, Built-In policies may contain certain hardcoded default values, or assign highly privileged roles, that conflict with ALZ principles. + +## MMA deprecation and Legacy Solutions in Log Analytics Workspace + +It's important to highlight that while MMA deprecation is in August 2024, this doesn't necessarily impact the Legacy Solutions in Log Analytics. The following Solutions are still deployed as part of the current version: + +- Sentinel: Is only deployed through ALZ, which is still achieved by deploying the Solution. We don't deploy additional configurations. Consult [AMA migration for Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate) for more information. +- Change Tracking: Aside from the solution being deployed in Log Analytics, we deploy the new components like DCRs and policies to enable Change Tracking through AMA. + +## Why is a Policy disbled in the "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace" initiative? + +The Microsoft Defender for SQL are custom policies based on the built-in policies. These are made custom to add additional flexibility for resource naming and placement, as well as excluding certain resources from being deployed through Policy. The disabled policy didn’t add any additional value at this moment as the configurations it deploys are handled in the ARM template. + diff --git a/docs/wiki/ALZ-AMA-Migration-Guidance.md b/docs/wiki/ALZ-AMA-Migration-Guidance.md new file mode 100644 index 0000000000..17a6e915f6 --- /dev/null +++ b/docs/wiki/ALZ-AMA-Migration-Guidance.md @@ -0,0 +1,378 @@ +# Introduction + +The ALZ Portal Accelerator has recently been enhanced, and starting with the 2024-01-31 release, has removed the legacy MMA agent and now deploys Azure Monitor Agent (AMA) to new environments. With the 2024-06-03 release, there are also updates for User Assigned Managed Identities. Azure Landing Zones has transitioned to using one centralized User Assigned Managed Identity. This consolidation of User Assigned Managed Identity for AMA represents an important improvement in managing deployments at scale more effectively. Please refer to [What’s new](https://github.com/Azure/Enterprise-Scale/wiki/Whats-new) for more information. + +This guide explains the topics and configurations that Azure Landing Zones use, and we discuss many of the common scenarios in the section on assessing the current state. However, this guide does not provide detailed instructions for custom implementations or extra features that are not part of Azure Landing Zones. For those scenarios, we refer to the documentation from the Product teams. + +If you are looking for Terraform guidance please refer to [\[User Guide\] Upgrade from v5.2.1 to v6.0.0](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v5.2.1-to-v6.0.0) + +And for Bicep guidance refer to: [v0.18.0 Release Notes](https://github.com/Azure/ALZ-Bicep/releases/tag/v0.18.0) + +## Parity gaps + +Please check the most recent information on parity gaps before you begin: + +- [Known parity gaps for solutions that may impact your migration](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration#known-parity-gaps-for-solutions-that-may-impact-your-migration) +- [Microsoft Sentinel Gap analysis between agents](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate#gap-analysis-between-agents) +- [Change Tracking and Inventory using Azure Monitoring Agent doesn't support or has the following limitations](https://learn.microsoft.com/en-us/azure/automation/change-tracking/overview-monitoring-agent?tabs=win-az-vm#current-limitations) + +## MDfC Defender for Servers + +All Defender for Servers features and capabilities will be provided through a single agent Microsoft Defender for Endpoint (MDE) integration, complemented by agentless capabilities, without dependency on either Log Analytics Agent (MMA) or Azure Monitoring Agent (AMA). Please refer to the following blog post containing the latest information [Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341) + +## This guide covers the following topics + +- **Assess current state:** Identify and determine the steps required to migrate to AMA. +- **Update Azure Landing Zones:** Guidance and automation to update your Azure Landing Zones components. Automation helps configure the following tasks: + - Deploy User Assigned Managed Identity + - Deploy Data Collection Rules + - Update Policy and Initiative definitions + - Remove Legacy Policy Assignments + - Remove Legacy Solutions + - Assigning new Policies and Initiatives + - Assign permissions to Landing Zones managed identity + - Policy remediation +- **Removing MMA and additional steps:** Depending on the discoveries during the initial assessment you may need to run additional steps before you can remove MMA. Please refer to the tooling and guidance provided by the product team: + - Configure additional Data collection Rules (DCR Config Generator) + - AMA Migration for Microsoft Sentinel. Configuring connectors to send events via AMA + - Installing AMA on Non-Azure VMs with Azure Arc + - Update your Hybrid Workers (V1) to Extension based Hybrid Workers (V2) + - Custom settings for Change Tracking data types + - Migrating schedules to Azure Update Manager + - Removing MMA Agent + +## Migration paths + +1. [Migrate from MMA to AMA](#migrate-from-mma-to-ama). Applies to releases: + a. 2024-01-07 and earlier +1. [Update to latest AMA release](#update-to-latest-ama-release). Applies to releases: + a. 2024-04-24 + a. 2024-03-08 + a. 2024-03-04 + a. 2024-02-14 + a. 2024-02-12 + a. 2024-02-07 + a. 2024-02-05 + a. 2024-01-31 + +# Migrate from MMA to AMA + +## Assess current state + +Although this guidance is concentrated on managing resources within Azure Landing Zones, it is crucial to be aware of other settings in your environment that may necessitate further considerations and steps when planning to migrate. + +It's advisable to evaluate and record the information listed below, each of these points will be covered in more detail: + +- Identify which computers are linked to the Log Analytics Workspace. +- Identify which Agents have VM Insights enabled. +- Identify what Windows event logs the legacy agent’s collects. +- Identify what Windows performance counters are collected via legacy agents. +- Identify what Linux performance counters are collected via legacy agents. +- Identify which Linux Syslog are collected by legacy agents. +- Review if Windows IIS Logs are being collected through legacy agents. +- Review whether any custom logs are collected using legacy agents. +- Document Legacy Workspace Solutions that are implemented within the Workspace. +- Document which legacy agents are set up as Hybrid Workers within Automation Accounts. + +### AMA Migration Helper + +AMA Migration Helper is a workbook-based Azure Monitor solution that helps you discover what to migrate and track progress as you move from Log Analytics Agent to Azure Monitor Agent. [AMA Migration Helper](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration-tools#using-ama-migration-helper) + +### Non-Azure VMs + +Should you encounter Non-Azure Virtual Machines utilizing the MMA agent, it is required to on-board them to Azure Arc prior to setting up AMA. Follow the Azure Arc documentation for guidance [Plan and deploy Azure Arc-enabled servers - Azure Arc](https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment) + +### Microsoft Sentinel + +If Microsoft Sentinel is used in your environment, please refer to the recommended migration plan for additional steps and guidance. [AMA migration for Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate) + +### Change Tracking + +This guide assumes the default configuration, if you have changed the settings for Change Tracking data types, see migration options here: [Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version](https://learn.microsoft.com/en-us/azure/automation/change-tracking/guidance-migration-log-analytics-monitoring-agent?tabs=ct-single-vm%2Climit-single-vm) + +### Azure Update Manager + +Azure Landing Zones assigns policies that enable periodic assessments in Azure Update Manager. If you require to migrate additional configurated like schedules please consult [Move from Automation Update Management to Azure Update Manager](https://learn.microsoft.com/en-us/azure/update-manager/guidance-migration-automation-update-management-azure-update-manager?tabs=update-mgmt#step-1-migration-of-machines-and-schedules) + +### Migrate additional services and features + +Azure Monitor Agent is GA for data collection. Most services that used Log Analytics agent for data collection have migrated to Azure Monitor Agent. Refer to the table provided here [Migrate additional services and features](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration#migrate-additional-services-and-features) for more information. + +### Identify which computers are linked to the Log Analytics Workspace + +Use the following KQL query on the Log Analytics Workspace to identify computers that are linked to the Log Analytics Workspace: + +```kusto +Heartbeat +| where TimeGenerated >= ago(7d) +| summarize make_set(Category) by Computer +| extend Legacy = iif(set_Category contains "Direct" or set_Category contains "SCOM", true, false) +| extend AMA = iif(set_Category contains "Monitor", true, false) +| extend Status = case( + Legacy == true and AMA == false, "Not started", + Legacy == true and AMA == true, "In progress", + "Completed" + ) +| project-away set_Category +| order by Computer asc +| project + Computer, + ["Migration Status"] = Status, + ["Legacy Installed"] = Legacy, + ["AMA Installed"] = AMA +``` + +### Identify which Agents have VM Insights enabled + +Use the following KQL query on the Log Analytics Workspace to identify agents that VM Insights enabled: + +```kusto +Heartbeat +| where Category == 'Direct Agent' or Category contains 'SCOM' +| distinct Computer +| join kind=fullouter ( +InsightsMetrics +| distinct Computer +| join kind = fullouter (VMConnection | distinct Computer) on Computer +| extend ['Guest performance'] = iif(Computer != '', true, false) +| extend ['Processes and dependencies (Map)'] = iif(Computer1 != '', true, false) +| extend Computer = iif(Computer == '',Computer1, Computer) +| project-away Computer1 +) on Computer +| where Computer != '' +| project-away Computer1 +| order by Computer desc +``` + +### Identify what event logs and performance counters the legacy agent’s collects + +To identify which Event logs, Syslog, Performance counters and IIS are being collected review the corresponding tabs in **Log Analytics Workspace > Classic > Legacy agents management**. + +To find out more about the computers from which the IIS logs are gathered, run the following KQL query. + +```kusto +W3CIISLog +| distinct Computer +``` + +To identify whether custom logs are collected go to **Log Analytics Workspace > Settings > Tables** and document any entries of type **Custom table (classic)**. To Identify from which computers custom logs are collected run the following KQL query for each Custom Table: + +```kusto +TableName_CL +| distinct Computer +``` + +To find out which computers have Change Tracking enabled, execute the following KQL query: + +```kusto +ConfigurationData +| distinct Computer +``` + +### Document which legacy agents are set up as Hybrid Workers within Automation Accounts + +Agent-based (V1) Hybrid Runbook Workers rely on the Log Analytics agent reporting to an Azure Monitor Log Analytics workspace. To discover the Hybrid Workers running the V1 configuration review the automation account information **Automation Accounts > Process Automation > Hybrid worker groups**. + +## Update Azure Landing Zones + +> [!CAUTION] +> This script intended for Azure Landing Zone Portal Accelerator deployments only. It is not for Terraform and Bicep deployments of ALZ. +> +> IMPORTANT: THIS SCRIPT WILL DEPLOY, UNASSIGN AND REMOVE RESOURCES! We recommend that you have carefully assessed your current state and followed the guidance from both the Azure Landing Zones documentation and the public documentation that it references. Use the -WhatIf parameter to see what the changes will do before you apply them. + +1. Start PowerShell +1. Clone the Enterprise-Scale repository

+ `git clone https://github.com/Azure/Enterprise-Scale.git`

+1. Change directory

+ `cd .\Enterprise-Scale\`

+1. Login to Azure:

+ `Login-AzAccount`

+1. Select your management subscription

+ `Select-AzSubscription -Subscription {subscriptionId}`

+ +> [!TIP] +> We highly recommend running the script with -WhatIf to see what the changes will do before you apply them. + +### To run the script with -WhatIf + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath MMAToAMA -DeployUserAssignedManagedIdentity -DeployVMInsights -DeployChangeTracking -DeployMDfCDefenderSQL -DeployAzureUpdateManager -RemoveLegacyPolicyAssignments -RemoveLegacySolutions -UpdatePolicyDefinitions -WhatIf +``` + +#### Example result of running the ALZ MMA to AMA migration with `-WhatIf` + +![Animated image showing the result of running the AMA Migration script with -WhatIf parameter](./media/ama-migrate-whatif.gif) + +### Migrate to AMA + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +> [!TIP] +> You don't have to update everything at once. Use the switches like `-DeployVMInsights` to update specific features. + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath MMAToAMA -DeployUserAssignedManagedIdentity -DeployVMInsights -DeployChangeTracking -DeployMDfCDefenderSQL -DeployAzureUpdateManager -RemoveLegacyPolicyAssignments -RemoveLegacySolutions -UpdatePolicyDefinitions +``` + +#### Example result of running the ALZ MMA to AMA migration + +![Animated image showing the result of running the AMA Migration script](./media/ama-migrate.gif) + +### Remediate Policies + +The script can be used to remediate the newly assigned policies. Before running the remediations please wait for the Policy Engine to process the compliance state for the new assignments (alternatively you can use Start-AzPolicyComplianceScan) + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath MMAToAMA -RemediatePolicies +``` + +## Removing MMA and additional steps + +Depending on your situation and the outcome of your evaluation of the current state, you may require additional steps. + +### 1. Configure additional Data collection Rules + +To collect performance counters, IIS logs, syslog or custom logs, you can use DCR Config Generator. It creates data collection rules for different platforms by analyzing your workspace's Log Analytics agent configuration. [Installing and using DCR Config Generator](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration-tools#installing-and-using-dcr-config-generator) + +### 2. Microsoft Sentinel + +For additional steps to configure connectors to send events via AMA, please see: +[Migrate to the Azure Monitor agent (AMA) from the Log Analytics agent (MMA/OMS) for Microsoft Sentinel](https://learn.microsoft.com/en-gb/azure/sentinel/ama-migrate) + +### 3. Non-Azure VMs + +To install AMA on Hybrid VMs, you need to add these VMs to Azure Arc first. Please follow this guide: [Plan and deploy Azure Arc-enabled servers - Azure Arc](https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment) + +### 4. Hybrid Workers + +Follow the link below to update your Hybrid Workers (V1) to Extension based Hybrid Workers (V2): [Deploy an extension-based Windows or Linux User Hybrid Runbook Worker in Azure Automation](https://learn.microsoft.com/en-us/azure/automation/extension-based-hybrid-runbook-worker-install?tabs=windows%2Cbicep-template#migrate-an-existing-agent-based-to-extension-based-hybrid-workers) + +### 5. Change Tracking + +If you have changed the settings for Change Tracking data types, review the following guide for migration options: [Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version](https://learn.microsoft.com/en-us/azure/automation/change-tracking/guidance-migration-log-analytics-monitoring-agent?tabs=ct-single-vm%2Climit-single-vm) + +### 6. Azure Update Manager + +If you require to migrate additional configurations like schedules, please review: [Move from Automation Update Management to Azure Update Manager](https://learn.microsoft.com/en-us/azure/update-manager/guidance-migration-automation-update-management-azure-update-manager?tabs=update-mgmt#step-1-migration-of-machines-and-schedules) + +### 7. Removing MMA Agent + +After you migrate your machines to the Azure Monitor Agent (AMA), you need to remove the Log Analytics Agent (also called the Microsoft Management Agent or MMA) to avoid duplication of logs. + +> [!IMPORTANT] +> For more information on running both agents on the same Machine please review the considerations provided here: [Before you begin](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration#before-you-begin) + +The Azure Tenant Security Solution (AzTS) MMA Discovery and Removal Utility provided by the Azure Monitor team can centrally remove the MMA extension from Azure virtual machines (VMs), Azure virtual machine scale sets, and Azure Arc servers from a tenant. [MMA Discovery and Removal Utility - Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-mma-removal-tool?tabs=single-tenant%2Cdiscovery) + +# Update to latest AMA release + +> [!CAUTION] +> This script intended for Azure Landing Zone Portal Accelerator deployments only. It is not for Terraform and Bicep deployments of ALZ. +> +> IMPORTANT: THIS SCRIPT WILL DEPLOY, UNASSIGN AND REMOVE RESOURCES! We recommend that you have carefully assessed your current state and followed the guidance from both the Azure Landing Zones documentation and the public documentation that it references. Use the -WhatIf parameter to see what the changes will do before you apply them. + +1. Start PowerShell +1. Clone the Enterprise-Scale repository

+ `git clone https://github.com/Azure/Enterprise-Scale.git`

+1. Change directory

+ `cd .\Enterprise-Scale\`

+1. Login to Azure:

+ `Login-AzAccount`

+1. Select your management subscription

+ `Select-AzSubscription -Subscription {subscriptionId}`

+ +> [!TIP] +> We highly recommend running the script with -WhatIf to see what the changes will do before you apply them. + +## To run the update with -WhatIf + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath UpdateAMA -UpdatePolicyDefinitions -removeLegacyPolicyAssignments -deployUserAssignedManagedIdentity -deployVMInsights -deployChangeTracking -deployMDfCDefenderSQL -WhatIf +``` + +### Example result of running the ALZ AMA update with `-WhatIf` + +![Animated image showing the result of running the AMA Update script with -WhatIf parameter](./media/ama-update-whatif.gif) + +## Update AMA + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +> [!TIP] +> You don't have to update everything at once. Use the switches like `-DeployVMInsights` to update specific features. + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath UpdateAMA -UpdatePolicyDefinitions -removeLegacyPolicyAssignments -deployUserAssignedManagedIdentity -deployVMInsights -deployChangeTracking -deployMDfCDefenderSQL +``` + +### Example result of running the ALZ AMA update + +![Animated image showing the result of running the AMA Update script](./media/ama-update.gif) + +## Remediate modified policy assignments + +The script can be used to remediate the newly/updated assigned policies. Before running the remediations please wait for the Policy Engine to process the compliance state for the new assignments (alternatively you can use Start-AzPolicyComplianceScan) + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath UpdateAMA -RemediatePolicies +``` + +## Remove obsolete User Assigned Managed Identities + +The User Assigned Managed Identity has been centralized within the management resource group. It's no longer necessary to have a User Assigned Managed Identity deployed across individual subscriptions, and these should be removed. Executing the following command will remove the User Assigned Managed Identity from every subscription and, if the resource group is doesn’t contain other resources, it will be removed as well. + +Set the correct values for: + +- -location +- -eslzRoot +- -managementResourceGroupName +- -workspaceResourceId +- -workspaceRegion + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -migrationPath UpdateAMA -removeObsoleteUAMI +``` diff --git a/docs/wiki/ALZ-AMA-PowerShell-Script.md b/docs/wiki/ALZ-AMA-PowerShell-Script.md new file mode 100644 index 0000000000..c43870ae61 --- /dev/null +++ b/docs/wiki/ALZ-AMA-PowerShell-Script.md @@ -0,0 +1,331 @@ +# Update-AzureLandingZonesToAMA + +> [!IMPORTANT] +> This script intended for Azure Landing Zone Portal Accelerator deployments only. It is not for Terraform and Bicep deployments of ALZ. + +## Description + +We have created a script that can assist you with updating the Azure Landing Zones components. This script can automatically do the following tasks, you can turn on or off some parts of the script, see the Syntax section for more details: + +- Update Policies and Initiatives. +- Delete outdated Policy Assignments. +- Deploy a User Assigned Managed Identity for the AMA agent. +- Deploys Data Collection Rules. +- Assign new Policies and Initiatives. +- Remove Legacy Solutions +- Create remediation tasks for the newly assigned Policies and initiatives. +- Remove obsolete User Assigned Managed Identities (that were deployed with releases starting 2024-01-31 until 2024-04-24) + +> [!IMPORTANT] +> The script will NOT remove the MMA agent. Please see [Removing MMA & additional steps](./ALZ-AMA-Migration-Guidance.md#removing-mma-and-additional-steps). + +## Support + +The ALZ team will support the PowerShell script for six months after MMA deprecation date, until February 28, 2025. Please report any issues here: [Issues](https://github.com/Azure/Enterprise-Scale/issues) + +## Prerequisites + +1. PowerShell 7 (Tested with version 7.4.2 on Windows) +2. Az Modules + 1. Az.Resources (Tested with version 7.1.0) + 2. Az.Accounts (Tested with version 3.0.0) + 3. Az.MonitoringSolutions (Tested with version 0.1.1) + 4. Az.ResourceGraph (Tested with version 1.0.0) +3. Git + +> [!NOTE] +> While other configurations and versions may work, please update first if you run into any issues before raising an [Issue](https://github.com/Azure/Enterprise-Scale/issues) + +## Syntax + +```powershell +Update-AzureLandingZonesToAMA + [-location ] (Required) + [-eslzRoot ] (Required) + [-managementResourceGroupName ] (Required) + [-workspaceResourceId ] (Required) + [-workspaceRegion ] (Required) + [-migrationPath , accepted values "MMAToAMA", "UpdateAMA"] (Required) + [-deployUserAssignedManagedIdentity ] (Optional) + [-deployVMInsights ] (Optional) + [-deployChangeTracking ] (Optional) + [-deployMDfCDefenderSQL ] (Optional) + [-deployAzureUpdateManager ] (Optional) + [-remediatePolicies ] (Optional) + [-removeLegacyPolicyAssignments ] (Optional) + [-removeLegacySolutions ] (Optional) + [-updatePolicyDefinitions ] (Optional) + [-removeObsoleteUAMI ] (Optional) +``` + +## Examples + +### Example 1: Update Policy Definitions + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law" -workspaceRegion "northeurope" -migrationPath MMAToAMA -updatePolicyDefinitions + + +Updating Policies ... + +- Updating Policy Definitions: Resource changes: 32 to create, 58 to modify, 68 no change. ... +- Updating Policy Set Definitions: Resource changes: 32 to create, 8 to modify, 5 no change. ... +``` + +### Example 2: Deploy VM Insights + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law" -workspaceRegion "northeurope" -migrationPath MMAToAMA -removeLegacyPolicyAssignments -deployVMInsights + + +Removing legacy Policy Assignments ... + +- Removing legacy Policy Assignments: Deploy-VM-Monitoring from scope contoso ... +- Removing legacy Policy Assignments: Deploy-VMSS-Monitoring from scope contoso ... + +Deploying User Assigned Managed Identity ... + +- Deploying User Assigned Managed Identity: Name: id-ama-prod-northeurope-001 to resource group contoso-mgmt; Resource changes: 1 to create, 12 to ignore. ... +- Assigning 'DenyAction-DeleteUAMIAMA' policy to scope contoso-platform ... + +Deploying VMInsights ... + +- Deploying a data collection rule for VMInsights: Name: dcr-vminsights-prod-northeurope-001 to resource group contoso-mgmt; Resource changes: 1 to create, 13 to ignore. ... +- Assigning policies for VMInsights: DINE-VMMonitoringPolicyAssignment.json to scope contoso-platform; Resource changes: 5 to create. ... +- Assigning policies for VMInsights: DINE-VMSSMonitoringPolicyAssignment.json to scope contoso-platform; Resource changes: 5 to create. ... +- Assigning policies for VMInsights: DINE-VMHybridMonitoringPolicyAssignment.json to scope contoso-platform; Resource changes: 3 to create. ... +- Assigning policies for VMInsights: DINE-VMMonitoringPolicyAssignment.json to scope contoso-landingzones; Resource changes: 5 to create. ... +- Assigning policies for VMInsights: DINE-VMSSMonitoringPolicyAssignment.json to scope contoso-landingzones; Resource changes: 5 to create. ... +- Assigning policies for VMInsights: DINE-VMHybridMonitoringPolicyAssignment.json to scope contoso-landingzones; Resource changes: 3 to create. ... +``` + +### Example 3: Using -WhatIf + +```powershell +.\src\scripts\Update-AzureLandingZonesToAMA.ps1 -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law" -workspaceRegion "northeurope" -migrationPath MMAToAMA -removeLegacySolutions -WhatIf + + +Removing legacy solutions ... + +What if: Performing the operation "- Removing legacy solutions: VMInsights(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +What if: Performing the operation "- Removing legacy solutions: AgentHealthAssessment(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +What if: Performing the operation "- Removing legacy solutions: Updates(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +What if: Performing the operation "- Removing legacy solutions: SQLAssessment(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +What if: Performing the operation "- Removing legacy solutions: SQLAdvancedThreatProtection(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +What if: Performing the operation "- Removing legacy solutions: SQLVulnerabilityAssessment(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +What if: Performing the operation "- Removing legacy solutions: Security(contoso-law)" on target "/subscriptions/{subscriptionId}/resourcegroups/contoso-mgmt/providers/microsoft.operationalinsights/workspaces/contoso-law". +``` + +## Parameters + +### -location + +The deployment location. + +| Type | String | +| ------------- | ------ | +| Required | True | +| Default value | None | + +### -eslzRoot + +Intermediate root management group id. + +| Type | String | +| ------------- | ------ | +| Required | True | +| Default value | None | + +### -managementResourceGroupName + +The management Resource Group name. This is `eslzRoot-mgmt`. For example `contoso-mgmt`. + +| Type | String | +| ------------- | ------ | +| Required | True | +| Default value | None | + +### -workspaceResourceId + +Log Analytics workspace id. Expected format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}` + +| Type | String | +| ------------- | ------ | +| Required | True | +| Default value | None | + +### -workspaceRegion + +The Log Analytics workspace region. + +| Type | String | +| ------------- | ------ | +| Required | True | +| Default value | None | + +### -migrationPath + +This parameter determines what parts of the script are available depending on your migration scenario. + +1. Use `MMAToAMA` if you are currently using MMA and need to perform a full migration. Applies to release _2024-01-07_ and earlier. +2. Use `UpdateAMA` if you are currently using AMA that was deployed by the Portal Accelerator over the past months. Applies to releases; _2024-04-24, 2024-03-08, 2024-03-04, 2024-02-14, 2024-02-12, 2024-02-07, 2024-02-05, 2024-01-31_. + +| Type | String | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Required | True | +| Default value | None | +| Allowed values | "MMAToAMA", "UpdateAMA" | +| Available parameters for `MMAToAMA` | `UpdatePolicyDefinitions`
`RemoveLegacyPolicyAssignments`
`DeployUserAssignedManagedIdentity`
`DeployVMInsights`
`DeployChangeTracking`
`DeployMDfCDefenderSQL`
`DeployAzureUpdateManager`
`RemoveLegacySolutions`
`RemediatePolicies` | +| Available parameters for `UpdateAMA` | `UpdatePolicyDefinitions`
`RemoveLegacyPolicyAssignments`
`DeployUserAssignedManagedIdentity`
`DeployVMInsights`
`DeployChangeTracking`
`DeployMDfCDefenderSQL`
`RemediatePolicies`
`removeObsoleteUAMI` | + +### -deployUserAssignedManagedIdentity + +Deploys a User Assigned Managed Identity to the Management Resource Group. + +- Checks for an existing User Assignment Managed Identity `id-ama-prod-$location-001` in the management resource group. +- Checks for an existing policy assignment `DenyAction-DeleteUAMIAMA` on the platform management group scope. +- Deploys a User Assigned Managed Identity template [userAssignedIdentity.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/userAssignedIdentity.json). +- Deploys a Policy Assignment template [DENYACTION-DeleteUAMIAMAPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json). + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -deployVMInsights + +Deploys the Data Collection Rule for VM Insights and assigns new policies. When it is run to Update AMA it will update the existing Policy Assignments to enable the single centralized UAMI by setting the feature flag `restrictBringYourOwnUserAssignedIdentityToSubscription` to `false`. Due to dependencies, running this command will also deploy the User Assigned Managed Identity resources. + +- Checks for an existing Data Collection rule `dcr-vminsights-prod-$location-001` in the management Resource Group. +- Checks for existing policy assignments `Deploy-VM-Monitoring`, `Deploy-VMSS-Monitoring`, `Deploy-vmHybr-Monitoring` on the platform and landing zone scopes. +- Deploys a Data Collection Rule template [dataCollectionRule-VmInsights.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json). +- Deploys Policy Assignment templates; [DINE-VMMonitoringPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json), [DINE-VMSSMonitoringPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json), [DINE-VMHybridMonitoringPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json) + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -deployChangeTracking + +Deploys the Data Collection Rule for Change Tracking and assigns new policies. When it is run to Update AMA it will update the existing Policy Assignments to enable the single centralized UAMI by setting the feature flag `restrictBringYourOwnUserAssignedIdentityToSubscription` to `false`. Due to dependencies, running this command will also deploy the User Assigned Managed Identity resources. + +- Checks for an existing Data Collection rule `dcr-changetracking-prod-$location-001` in the management Resource Group. +- Checks for existing policy assignments `Deploy-VM-ChangeTrack`, `Deploy-VMSS-ChangeTrack`, `Deploy-vmArc-ChangeTrack` on the platform and landing zone scopes. +- Deploys a Data Collection Rule template [dataCollectionRule-CT.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json). +- Deploys Policy Assignment templates; [DINE-ChangeTrackingVMPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json), [DINE-ChangeTrackingVMSSPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json), [DINE-ChangeTrackingVMArcPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json) + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -deployMDfCDefenderSQL + +Deploys the Data Collection Rule for Defender for SQL and assigns new policies. Due to dependencies, running this command will also deploy the User Assigned Managed Identity resources. + +- Checks for an existing Data Collection rule `dcr-defendersql-prod-$location-001` in the management Resource Group. +- Checks for an existing policy assignment `Deploy-MDFC-DefSQL-AMA` on the platform and landing zone scopes. +- Deploys a Data Collection Rule template [dataCollectionRule-DefenderSQL.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json). +- Deploys Policy Assignment template [DINE-MDFCDefenderSQLAMAPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json). + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -deployAzureUpdateManager + +Configures Azure Update Manager. + +- Checks for an existing policy assignment `Enable-AUM-CheckUpdates`. +- Deploys Policy Assignment template [MODIFY-AUM-CheckUpdatesPolicyAssignment.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json). + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -remediatePolicies + +Creates remediation tasks for the following Policy Assignments: + +- [[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/c4a70814-96be-461c-889f-2b27429120dc.html) +- [[Preview]: Enable ChangeTracking and Inventory for virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/92a36f05-ebc9-4bba-9128-b47ad2ea3354.html) +- [[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/53448c70-089b-4f52-8f38-89196d7f2de1.html) +- [Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/f5bf694c-cca7-4033-b883-3a23327d5485.html) +- [Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/924bfe3a-762f-40e7-86dd-5c8b95eb09e6.html) +- [Enable Azure Monitor for Hybrid VMs with AMA](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/2b00397d-c309-49c4-aa5a-f0b2c5bc6321.html) +- [Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) +- [Deploy-AUM-CheckUpdates](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-AUM-CheckUpdates.html) + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -removeLegacyPolicyAssignments + +Removes deprecated policy assignments. + +When combined with parameter `-MMAToAMA` it removes assignments: + +- deploy-vm-monitoring +- deploy-vmss-monitoring + +When combined with parameter `-UpdateAMA` it removes assignments: + +- deploy-mdfc-defensql-ama +- deploy-uami-vminsights + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -removeLegacySolutions + +Removes all Legacy Solutions from the specified Log Analytics workspace except for `SecurityInsights` which is used by Microsoft Sentinel and `ChangeTracking`. + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -updatePolicyDefinitions + +Updates custom Policy and Policy Set Definitions. + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -removeObsoleteUAMI + +Initially a User Assigned Identity was created for each subscription. After implementing the AMA updates a new centralized UAMI will replace the existing Identities. When the centralized Identity is assigned to the VM/VMSS it is highly recommended to removed the previously created identities. + +If the Identity resource group is empty, it will also be removed. + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | + +### -obsoleteUAMIResourceGroupName + +Specify the resource group name of the obsolete User Assigned Managed Identity. + +| Type | String | +| ------------- | ----------------- | +| Required | False | +| Default value | "rg-ama-prod-001" | + +### -WhatIf + +Shows what would happen if the script runs. The script is not run. + +| Type | SwitchParameter | +| ------------- | --------------- | +| Required | False | +| Default value | None | diff --git a/docs/wiki/ALZ-AMA-Update.md b/docs/wiki/ALZ-AMA-Update.md new file mode 100644 index 0000000000..f5cb13a8c5 --- /dev/null +++ b/docs/wiki/ALZ-AMA-Update.md @@ -0,0 +1,92 @@ +## Introduction + +### Deprecation + +The Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), is on a deprecation path and won't be supported after August 31, 2024. Any new data centers brought online after January 1 2024 will not support the Log Analytics agent. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate to the new Azure Monitor agent prior to that date. + +New ALZ deployments will use AMA exclusively. Brownfield guidance for adopting AMA is available [AMA Migration Guidance](./ALZ-AMA-Migration-Guidance) + +### Timing + +The migration from MMA to AMA has been a mayor project across multiple teams within Microsoft. ALZ held off on implementing AMA up to this point to ensure that a good feature set was available across all the different solutions. While there still are a few gaps, which are detailed below, we feel that the current AMA configuration is ready to be implemented in ALZ. + +## Strategy + +1. Include AMA for Greenfield customers using the portal deployment. (Completed) +2. Brownfield adoption guidance is available. This includes: + - Implementation guidance + - Breaking changes + - Cleanup guidance + - Quick reference to public documentations for migration guidance for individual solutions +3. Include AMA for Greenfield and Brownfield customers using either a Bicep or Terraform deployment. (June 2024) + +## AMA parity + +Please check the most recent information on parity gaps: + +- [Known parity gaps for solutions that may impact your migration](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration#known-parity-gaps-for-solutions-that-may-impact-your-migration) +- [Microsoft Sentinel Gap analysis between agents](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate#gap-analysis-between-agents) +- [Change Tracking and Inventory using Azure Monitoring Agent doesn't support or has the following limitations](https://learn.microsoft.com/en-us/azure/automation/change-tracking/overview-monitoring-agent?tabs=win-az-vm#current-limitations) +- [Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341) + +### Table: Summary AMA parity status + +| Service | What it does | Status | Parity | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Agent health | Monitors agent heartbeat | Deprecating. You can query the heartbeat. AMBA already has an Alert Rule for this. | N/A | +| Sentinel | Security information and event management | Public Preview - Migrated to AMA | Windows Firewall Logs (Private preview), Application and service logs | +| Change Tracking | This feature tracks changes in virtual machines hosted in Azure, on-premises, other clouds | GA - Migrated to AMA | Parity | +| Azure Monitor --> VM Insights | Monitoring VMs | GA - Migrated to AMA | Parity | +| Update Management | Manages VM patches and updates | GA - Migrated to Azure Update Management (AUM) that does not require an agent | | +| SQL Vulnerability Assessment Solution | Helps discover, track, and remediate potential database vulnerabilities | GA - Migrated to AMA and is now part of Microsoft Defender for SQL | Parity | +| SQL Advanced Thread Protection Solution | Detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases | GA - Migrated to AMA and is now part of Microsoft Defender for SQL | Parity | +| SQL Assessment Solution | Identifies possible performance issues and evaluates that your SQL Server is configured to follow best practices. | GA - Now part of SQL best practices assessment. | Current ALZ Status 'Removed' due to LAW deployment constraint with ALZ design principles (requires LAW per subscription), ALZ team will work with relevant product team to address | +| MDfC for Servers | Provide server protections through Microsoft Defender for Endpoint or extended protection with just-in-time network access, file integrity monitoring, vulnerability assessment, and more. | GA (See parity column for detail) - Migrated to MDC (Agentless) | Features in development: FIM, Endpoint protection discovery recommendations, OS Misconfigurations (ASB recommendations). Features on backlog: Adaptive Application controls | +| MDfC for SQL Server Virtual Machines | Protect your entire database estate with attack detection and threat response for the most popular database types in Azure to protect the database engines and data types, according to their attack surface and security risks. | GA - Migrated to AMA | | + +## Summary of changes to ALZ Code and Policies + +### Removed ARM resources. + +- Agent Health: Deprecated. +- Change Tracking (Automation account) +- Update Management (Automation account) +- VM Insights (Legacy solution/ MMA) +- SQL Assessment (Legacy solution) +- Sql Vulnerability Assessment (Legacy solution) +- Sql Advanced Threat Protection (Legacy solution) + +### Removed Azure Policy Assignments + +- PolicySetDefinition: Enable Azure Monitor for Virtual Machine Scale Sets / Legacy - Enable Azure Monitor for Virtual Machine Scale Sets +- PolicySetDefinition: Enable Azure Monitor for VMs / Legacy - Enable Azure Monitor for VMs + +## New ARM Resources + +- User Assigned Managed Identity + - Name: id-ama-prod--001 +- Data collection rules + - dcr-changetracking-prod--001 + - dcr-defendersql-prod--001 + - dcr-vminsights-prod--001 + +## New Custom Policy Definitions + +| Policy Definition / Policy Initiative | Child Policy Definitions | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Policy Initiative
[Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-AUM-CheckUpdates.html) | Windows: [59efceea-0c96-497e-a4a1-4eb2290dac15](https://www.azadvertizer.net/azpolicyadvertizer/59efceea-0c96-497e-a4a1-4eb2290dac15.html)
Linux: [59efceea-0c96-497e-a4a1-4eb2290dac15](https://www.azadvertizer.net/azpolicyadvertizer/59efceea-0c96-497e-a4a1-4eb2290dac15.html)
Windows: [bfea026e-043f-4ff4-9d1b-bf301ca7ff46](https://www.azadvertizer.net/azpolicyadvertizer/bfea026e-043f-4ff4-9d1b-bf301ca7ff46.html)
Linux: [bfea026e-043f-4ff4-9d1b-bf301ca7ff46](https://www.azadvertizer.net/azpolicyadvertizer/bfea026e-043f-4ff4-9d1b-bf301ca7ff46.html) | +| Policy Definition
[Do not allow deletion of specified resource and resource type](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) | | + +## New Policy Assignments + +| Policy Definition / Policy Initiative (Set Definition) | Name | +| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Policy Initiative | [Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/f5bf694c-cca7-4033-b883-3a23327d5485.html) | +| Policy Initiative | [Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/924bfe3a-762f-40e7-86dd-5c8b95eb09e6.html) | +| Policy Initiative | [Enable Azure Monitor for Hybrid VMs with AMA](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/2b00397d-c309-49c4-aa5a-f0b2c5bc6321.html) | +| Policy Initiative (Custom) | [Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-AUM-CheckUpdates.html) | +| Policy Initiative | [Enable Change Tracking and Inventory for Arc-enabled virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/53448c70-089b-4f52-8f38-89196d7f2de1.html) | +| Policy Initiative | [Enable Change Tracking and Inventory for virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/92a36f05-ebc9-4bba-9128-b47ad2ea3354.html) | +| Policy Initiative | [Enable ChangeTracking and Inventory for virtual machine scale sets](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/c4a70814-96be-461c-889f-2b27429120dc.html) | +| Policy Initiative | [Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) | +| Policy Definition | [Do not allow deletion of the User Assigned Managed Identity used by AMA](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) | diff --git a/docs/wiki/ALZ-Contribution-Guide.md b/docs/wiki/ALZ-Contribution-Guide.md index 50b6b7f97f..d3e00ad8a6 100644 --- a/docs/wiki/ALZ-Contribution-Guide.md +++ b/docs/wiki/ALZ-Contribution-Guide.md @@ -89,37 +89,80 @@ Please see our [**security policy**](https://github.com/Azure/Enterprise-Scale/s Policies in the Azure Landing Zone reference implementations and repository are custom to Azure environments. They are definitions which are recommended when working with ALZ landing zones. The policies used in the reference implementations are mastered from the Enterprise-Scale repository. -To work with policies, they are location in [src/resources/Microsoft.Authorization/*](https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization). +To work with policies, they are located in [src/resources/Microsoft.Authorization/*](https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization). To create a new policy, it is worth taking the framework from an already existing policy. +#### Naming convention + In ALZ Custom there is a way to name the custom policies that are used. They are prefixed with one of the following: `Append`, `Audit`, `Deny` or `Deploy` -#### **Append** +##### **Append** When contributing a custom policy based on appending resources at scale, the correct prefix would be `Append` - such as `Append-AppService-httpsonly.json`. -#### **Audit** +##### **Audit** + +Auditing resources at scale via policy is achievable using the correct effect inside the definition. This policy contribution should be prefixed with `Audit` - example, `Audit-MachineLearning-PrivateEndpointId.json`. + +##### **Deny** + +Deny policies are used to prevent the creation/action of and on Azure resources. Policies being created and contributed should be prefixed with 'Deny' - example, `Deny-Databricks-Sku.json`. + +##### **Deploy** + +Deploy follows the DeployIfNotExists (DINE) methodology. Policy contribution should be named prefixed with `Deploy` - example, `Deploy-Custom-Route-Table.json`. -Auditing resources at scale via policy is achievable using the correct effect inside the definition. This policy contribution should be prefixed with `Audit` - in example, `Audit-MachineLearning-PrivateEndpointId.json`. +The naming convention should be formatted in the following manner: `{prefix}-{resourceType}-{targetSetting}.json`. In an example: `Deny-SqlMi-minTLS.json`. -#### **Deny** +> When creating the naming convention for the definition, it must comply with the [Naming rule and restrictions for Azure resources | Microsoft Authorization](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftauthorization) standard. -Deny policies are used to prevent the creation/action of and on Azure resources. Policies being created and contributed should be prefixed with 'Deny' - in example `Deny-Databricks-Sku.json`. +Once the `Name` in the file name and `Name` in the policy definition have been set, it is worth noting that they should not be changed as it can impact initiatives and assignments, with the exception of breaking policy changes. -#### **Deploy** +#### Breaking changes -Deploy follows the DeployIfNotExists (DINE) methodology. Policy contribution should be named prefixed with `Deploy` - in example `Deploy-Custom-Route-Table.json`. +Breaking changes are changes to the policy definition which will adversely impact a policy assignment. This can be a change to the `Name` of the policy definition, or changes to the number of parameters, for example. If this is required, it is recommended to create a new policy definition and deprecate the old one. -The naming convetion should be formatted in the following manner: `{prefix}-{resourceType}-{targetSetting}.json`. In an example: `Deny-SqlMi-minTLS.json`. +In order to implement a breaking change, the following steps should be followed: -When creating the naming convention for the definition, it must company with the [Naming rule and restrictions for Azure resources | Microsoft Authorization](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftauthorization) standard. +- Deprecate the existing policy following our [deprecation guidance](./ALZ-Policies#preview-and-deprecated-policies). +- Create the new policy definition with the breaking change, but append the policy filename and policy `Name` with the date the new policy is created formatted as `_YYYYMMDD`. The underscore is important. + - Example: add date to the end of the policy name: `deny-subnet-nsg_20230701`. +- Add metadata property to the new policy definition with `replacesPolicy` and the name of the policy being deprecated. + - Example: `"replacesPolicy": "deny-subnet-nsg"` +- Update initiatives and assignments to use the new policy definition. +- Update the [ALZ Deprecated Services](./wiki/ALZ-Deprecated-Services) with the policy deprecation, replacement policy and justification. -Once the `Name` in the file name and `Name` in the policy definition have been set, it is worth noting that they should not be changed as it can impact initiatives and assignments. +Example snippet from a new policy: + +```json + "name": "Deploy-Sql-vulnerabilityAssessments_20230706", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Vulnerability Assessments", + "description": "Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-vulnerabilityAssessments", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + } +``` + +#### Metadata and `policies.json` Inside of the JSON is a `metadata` section which is required for policy creation. -![Policy Metadata](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/policy-metadata-example.png) +![Policy Metadata](media/policy-metadata-example.png) | Metadata Value | Description | |----------------------|------------------------------------------------------------| @@ -130,7 +173,7 @@ Inside of the JSON is a `metadata` section which is required for policy creation The definition created then needs to be included in the [policies.bicep](https://github.com/Azure/Enterprise-Scale/blob/main/src/templates/policies.bicep) file inside of [src/templates/](https://github.com/Azure/Enterprise-Scale/blob/main/src/templates/) under the correct context. An additional line needs to be created under the respective variable in the file, depending on it being a policy definition or a policy set definition: -![Policies bicep file example 1](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/policies-bicep-example.png) +![Policies bicep file example 1](media/policies-bicep-example.png) For a policy definition, additional code should be added inside of the `loadPolicyDefinitions` variable under the correct environment: @@ -140,35 +183,70 @@ For a policy set definition, additional code should be added inside of the `load `loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json')` -The policy definition files will be compiled into a `policies.json` file from the `policy.bicep` file which was amended. +~~The policy definition files will be compiled into a `policies.json` file from the `policy.bicep` file which was amended.~~ + +> Due to security compliance requirements, we've made core changes that mean we no longer automatically build the policies, initiatives and roles templates after changes in the `src` folder are committed. This means that you as a contributor must run the bicep build commands to generate the required outputs as part of your pull request. Depending on the files you've updated these are the commands: +> +> - `bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json` +> - `bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json` +> - `bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json` -Once the policy work has been completed, a pull request has been submitted to the repository: +Once the policy work has been completed, a pull request should be submitted to the repository: -![pr-example](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/pr-example.png) +![pr-example](media/pr-example.png) -Policy versioning follows the same protocol as built-in policies. More information on that can be found in the [ALZ Policies document in the wiki](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies.md#versioning). +#### Versioning -For policy deprecation, the process is documented in the [Azure Landing Zones - Deprecating Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Deprecated-Services.md) page. +Policy versioning follows the same protocol as built-in policies. More information on that can be found in the [ALZ Policies document in the wiki](./ALZ-Policies#versioning). -If a policy is part of an initiative, references to policies that are being deprecated should be removed. Policy initiatives are located in the [policySetDefinitions](https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policySetDefinitions/) folder. To find out if a policy is part of an initiative it is recommended to look up the policy definition in [AzAdvertiser](http://azadvertizer.com/) and check for association with initiatives. When identified, go into the necessary initiative and remove references to the definition. Locate the policy definition in the parameters of the initiative and remove reference: +#### Deprecation -![Example policy def in initiative](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/example-def-in-init.png) +For policy deprecation, the process is documented in the [Azure Landing Zones - Deprecating Policies](./ALZ-Deprecated-Services) page. + +If a policy is part of an initiative, references to policies that are being deprecated should be removed. Policy initiatives are located in the [policySetDefinitions](https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policySetDefinitions/) folder. To find out if a policy is part of an initiative it is recommended to look up the policy definition in [AzAdvertizer](http://azadvertizer.com/) and check for association with initiatives. When identified, go into the necessary initiative and remove references to the definition. Locate the policy definition in the parameters of the initiative and remove reference: + +![Example policy def in initiative](media/example-def-in-init.png) Also find it in the policyDefinitions and remove reference as well: -![Example policy def in initiative 2](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/media/example-def-in-init-2.png) +![Example policy def in initiative 2](media/example-def-in-init-2.png) + +#### Escaping policy functions When working within the policy files, to read parameters which are set at the top level of the policy definition a double escape is needed for ARM. So instead of using `[parameters('someParameter')]` within the policy, you should use `[[parameters('someParameter')]` instead. > **Note:** When testing the policy manually in the portal or another deployment outside of the ALZ Accelerator (Portal), you will need to remove the double escaping, `[[`, and revert to normal ,`[`' -When working with policies that are assigned by default, these are located under the [eslzArm/managementGroupTemplates/policyAssignments](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments) folder. References to policy definitions are done through the assignments, so if any amendments are done to default assigned policies, they should be amended here too. A wiki to default assignments can be found [in the wiki](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies.md). +#### Testing + +A new requirement as of FY24-Q1 for all new custom policies is that new policies (with DENY effect at this time) MUST have a Pester test to validate the policy is working as expected. This is to validate that the policy is effective and to prevent any regressions in the future should there be any policy updates. The Pester test should be located in the `/tests/policy` folder in this repo, and should be named the same as the policy definition, but with a `.Tests.ps1` extension. For example, if the policy definition is `Deny-AppService-PrivateEndpoint.json`, the Pester test should be named `Deny-AppService-PrivateEndpoint.Tests.ps1`. + +There are many examples available already in the `/tests/policy` for the current list of DENY policies. The preferred and recommended approach is to use PowerShell Az as far as possible, however, there are some situations where REST API will be required (e.g., Deny-MgmtPorts-From-Internet with complex rules or any deployment requiring parameters not available in PowerShell Az modules). Examples of both methods are also available in the current policy test folder - an example that uses both methods [Deny-FileServices-InsecureAuth.Tests.ps1](/tests/policy/Deny-FileServices-InsecureAuth.Tests.ps1).\ + +We have also included a [sample workflow](./ALZ-Policies-Test-Workflow-Sample) that can be used as a dedicated policy testing workflow in your own environments. + +To learn more about how we've implemented policy testing, please refer to [azure-policy-testing](https://github.com/fawohlsc/azure-policy-testing). + +#### Default assignments + +When working with policies that are assigned by default, these are located under the [eslzArm/managementGroupTemplates/policyAssignments](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/managementGroupTemplates/policyAssignments) folder. References to policy definitions are done through the assignments, so if any amendments are done to default assigned policies, they should be amended here too. A wiki to default assignments can be found [in the wiki](./ALZ-Policies). Policies in `eslzArm.json` file will also need updating if wanting to assign a new policy that is located. The file for this amendment [in eslzArm/eslzArm.json](https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/eslzArm.json). +### Portal Reference Implementation + +The portal reference implementation is a popular UI driven reference implementation for Azure landing zones, and is maintained as part of this repository. It is a great way to get started with Azure landing zones, and is a great way to learn about the underlying Azure landing zone guidance. + +When creating new policies that will be assigned by default by the portal reference architecture you are required to also include appropriate information and options in the portal experience (`eslzArm/eslz-portal.json`). Please do include appropriate selectors in line with the section (management group) that the policy is assigned to, and ensure that tooltips include links to the [AzAdvertizer](http://azadvertizer.com/) page for the policy or initiative. + +Example for the Key Vault initiative (note the tooltip): + +![Example of adding tooltip in portal experience](media/alz-contrib-portal1.png) + + ### Forking the repository and submitting a Pull Request -To start contributing to this guide is it worth reviewing the developer workflow for contribution [which is documented in GitHub](https://docs.github.com/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork). +To start contributing to this repository it is worth reviewing the developer workflow for contribution [which is documented in GitHub](https://docs.github.com/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork). ## Code of Conduct diff --git a/docs/wiki/ALZ-Deploy-reference-implementations.md b/docs/wiki/ALZ-Deploy-reference-implementations.md index 731bea66c4..12146f4f16 100644 --- a/docs/wiki/ALZ-Deploy-reference-implementations.md +++ b/docs/wiki/ALZ-Deploy-reference-implementations.md @@ -15,8 +15,6 @@ The Enterprise-Scale design principles and reference implementations can be adop | WingTip | Azure without hybrid connectivity |[![Deploy To Azure](https://learn.microsoft.com/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json) | [Detailed description](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) | | Trey Research | For small enterprises | [![Deploy To Azure](https://learn.microsoft.com/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fdocs%2Freference%2Ftreyresearch%2FarmTemplates%2Fes-lite.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fdocs%2Freference%2Ftreyresearch%2FarmTemplates%2Fportal-es-lite.json) | [Detailed description](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/treyresearch/README.md) | -> The Bicep version is now available in Public Preview here: [https://github.com/Azure/ALZ-Bicep](https://github.com/Azure/ALZ-Bicep) - An Enterprise-Scale reference implementation is rooted in the principle that **Everything in Azure is a Resource**. All of the reference scenarios leverage native **Azure Resource Manager (ARM)** to describe and manage their resources as part of their target state architecture at-scale. Reference implementations enable security, monitoring, networking, and any other plumbing needed for landing zones (i.e. subscriptions) autonomously through policy enforcement. Companies will deploy the Azure environment with ARM templates to create the necessary structure for management and networking to declare a desired goal state. All scenarios will apply the principle of "Policy-Driven Governance" for landing zones by using Azure Policy. The benefits of a policy-driven approach are many but the most significant are: diff --git a/docs/wiki/ALZ-Deploy-workloads.md b/docs/wiki/ALZ-Deploy-workloads.md index 145d7b90f2..fdf9d2fe56 100644 --- a/docs/wiki/ALZ-Deploy-workloads.md +++ b/docs/wiki/ALZ-Deploy-workloads.md @@ -4,41 +4,4 @@ At this point you have the necessary platform setup and landing zones (subscript The following workloads outlined here provides best-practices, and curated deployment experiences for your application teams to successfully deploy them into their landing zones (online, corp). -## AKS (Kubernetes) - -Deploy Kubernetes to Azure and integrate with ARM, Azure AD, Azure Policy, and Azure Monitor to ensure you have a production ready Kubernetes cluster in your landing zone -a -| Landing zone | ARM Template | Details | -|:-------------------------|:-------------|:-----------| -| Online |[![Deploy To Azure](https://learn.microsoft.com/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fworkloads%2FAKS%2FarmTemplates%2Fonline-aks.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fworkloads%2FAKS%2FarmTemplates%2Fportal-online-aks.json) | [Detailed description](https://github.com/Azure/Enterprise-Scale/tree/main/workloads/AKS/README.md) -| Corp | Coming soon | Detailed description - - -### SAP (coming soon) - -Details coming soon - -| Landing zone | ARM Template | Details | -|:-------------------------|:-------------|:-----------| -| Online | Coming soon -| Corp | Coming soon - - -### Windows Virtual Desktop (coming soon) - -Details coming soon - -| Landing zone | ARM Template | Details | -|:-------------------------|:-------------|:-----------| -| Online | Coming soon -| Corp | Coming soon - - -### Data and Analytics (coming soon) - -Details coming soon - -| Landing zone | ARM Template | Details -|:-------------------------|:-------------|:-----------| -| Online | Coming soon -| Corp | Coming soon \ No newline at end of file +Please head to the Azure Architecture Page called [Deploy Azure landing zones](https://aka.ms/alz/aac) for more information and links to workload accelerators and much more. diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md index 076ef0b8c8..9bf5810b54 100644 --- a/docs/wiki/ALZ-Deprecated-Services.md +++ b/docs/wiki/ALZ-Deprecated-Services.md @@ -1,28 +1,58 @@ -# Azure Landing Zones Deprecated Services +# Azure Landing Zones Deprecated Notices ## In this section -- [Azure Landing Zones Deprecated Services](#azure-landing-zones-deprecated-services) +- [Azure Landing Zones Deprecated Notices](#azure-landing-zones-deprecated-notices) + - [In this section](#in-this-section) + - [Overview](#overview) + - [Deprecated policies](#deprecated-policies) + - [More Information](#more-information) + - [Deprecated services](#deprecated-services) ## Overview -As built-in services are further developed by Microsoft, one or more Azure Landing Zone (ALZ) components may be superseded. +As policies and services are further developed by Microsoft, one or more Azure Landing Zone (ALZ) components may be superseded and need to be deprecated. This article provides details as to those items and supporting documentation to help you remain up to date. ## Deprecated policies -New Azure Policies are being developed and created constantly as a `built-in` type. Azure Landing Zones (ALZ) policies are not exempt from this, so over time some policies will be included as `built-in` from `ALZ` or `custom` types. This will lead to duplicate policies being created and additional admin overhead of maintenance. +New Azure Policies are being developed and created by product groups that support their services and are typically of the `built-in` type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new `built-in` policies instead of ALZ `custom` policies. Through this process, `custom` ALZ policies will be deprecated when new `built-in` policies are available that provide the same capability, which ultimately reduces maintenance overhead for `custom` policies. + +Policies being deprecated: + +| Deprecated ALZ Policy | Superseded by policy
(includes link to AzAdvertizer) | Justification | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | +| Deploys NSG flow logs and traffic analytics
ID: `Deploy-Nsg-FlowLogs` | [`e920df7f-9a64-4066-9b58-52684c02a091`](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) | Custom policy replaced by built-in requires less administration overhead | +| Deploys NSG flow logs and traffic analytics to Log Analytics
ID: `Deploy-Nsg-FlowLogs-to-LA` | [`e920df7f-9a64-4066-9b58-52684c02a091`](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) | Custom policy replaced by built-in requires less administration overhead | +| Deny the creation of public IP
ID: `Deny-PublicIP` | [`6c112d4e-5bc7-47ae-a041-ea2d9dccd749`](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html) | Custom policy replaced by built-in requires less administration overhead | +| Latest TLS version should be used in your API App
ID: `8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e` | [`f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b`](https://www.azadvertizer.net/azpolicyadvertizer/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b.html) | Deprecated policy in initiative removed as existing policy supersedes it | +| SQL servers should use customer-managed keys to encrypt data at rest
ID: `0d134df8-db83-46fb-ad72-fe0c9428c8dd` | [`0a370ff3-6cab-4e85-8995-295fd854c5b8`](https://www.azadvertizer.net/azpolicyadvertizer/0a370ff3-6cab-4e85-8995-295fd854c5b8.html) | Deprecated policy in initiative replaced with new policy | +| RDP access from the Internet should be blocked
ID: `Deny-RDP-From-Internet` | [`Deny-MgmtPorts-From-Internet`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html) | Deprecated policy as it is superseded by a more flexible policy | +| Deploy SQL Database Transparent Data Encryption
ID: [`Deploy SQL Database Transparent Data Encryption`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-Tde.html) | `86a912f6-9a06-4e26-b447-11b16ba8659f` | Custom policy replaced by built-in requires less administration overhead | +| Azure Machine Learning should have disabled public network access
ID: [`Deny-MachineLearning-PublicNetworkAccess`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MachineLearning-PublicNetworkAccess.html) | [`438c38d2-3772-465a-a9cc-7a6666a275ce`](https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html) | Custom policy replaced by built-in requires less administration overhead | +| Public network access should be disabled for MariaDB
ID: [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html) | [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) | Deprecating policies for MariaDB see [`ALZ Policy FAQ & Tips`](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies-FAQ.md). | +| Diagnostic Settings for MariaDB to Log Analytics Workspace
ID: [`Deploy-Diagnostics-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Diagnostics-MariaDB.html) | Deprecating due to service retirement | Deprecating policies for MariaDB, see [`ALZ Policy FAQ & Tips`](./ALZ-Policies-FAQ) | +| Deploy SQL Database Vulnerability Assessments
ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix | +| Deploy Microsoft Defender for Cloud configuration
ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes | +| Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
ID: [`Enforce-EncryptTransit`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) | Custom initiative replaced by updated custom initiative due to breaking changes | +| Deploy SQL Database built-in SQL security configuration
ID: [`Deploy-SQL-Security`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security.html) | [`Deploy-SQL-Security_20240529`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security_20240529.html) | Custom initiative replaced by updated custom initiative due to breaking changes | +| Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW
ID: `Deploy-MDFC-DefenderSQL-AMA` | [`de01d381-bae9-4670-8870-786f89f49e26`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
ID: `Deploy-MDFC-SQL-DefenderSQL` | [`ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce`](https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: `Deploy-MDFC-SQL-DefenderSQL-DCR` | [`04754ef9-9ae3-4477-bf17-86ef50026304`](https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure SQL Virtual Machines to automatically install Azure Monitor Agent
ID: `Deploy-MDFC-SQL-AMA` | [`f91991d1-5383-4c95-8ee5-5ac423dd8bb1`](https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: `Deploy-MDFC-Arc-Sql-DefenderSQL-DCR` | [`63d03cbd-47fd-4ee1-8a1c-9ddf07303de0`](https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html) | Custom policy replaced by built-in requires less administration overhead | +| Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR
ID: `Deploy-MDFC-Arc-SQL-DCR-Association` | [`2227e1f1-23dd-4c3a-85a9-7024a401d8b2`](https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html) | Custom policy replaced by built-in requires less administration overhead | +| Deploy User Assigned Managed Identity for VM Insights
ID: `Deploy-UserAssignedManagedIdentity-VMInsights` | Deprecating as it's no longer required | User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. | + +>IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html) + +### More Information + +- [Azure Policy - Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies) - to learn more about the deprecation process. +- [Migrate ALZ Policies to Built‐in](https://github.com/Azure/Enterprise-Scale/wiki/Migrate-ALZ-Policies-to-Built%E2%80%90in) - for guidance on how to migrate deprecated ALZ custom policies to Azure built-in policies. -Over time, a deprecation process of there `ALZ / custom` policies will have to take place. To learn more about the deprecation process, see the following documentation: - -[Azure Policy - Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies) - -| Deprecated ALZ Policy IDs | Superseded by built-in policy IDs | Justification | -|-----------------------------------------------|--------------------------------------|--------------------------------------------------------------------------| -| Deploy-Nsg-FlowLogs | [e920df7f-9a64-4066-9b58-52684c02a091](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html?) | Custom policy replaced by built-in requires less administration overhead | -| Deploy-Nsg-FlowLogs-to-LA | [e920df7f-9a64-4066-9b58-52684c02a091](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html?) | Custom policy replaced by built-in requires less administration overhead | -| Deny-PublicIP | [6c112d4e-5bc7-47ae-a041-ea2d9dccd749](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html?) | Custom policy replaced by built-in requires less administration overhead |½ - -Guidance on how to migrate deprecated ALZ custom policies to Azure built-in policies can be found [here](https://github.com/Azure/Enterprise-Scale/wiki/Migrate-ALZ-Policies-to-Built%E2%80%90in) ## Deprecated services -- Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace. As this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) \ No newline at end of file +- Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace, as this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) +- Removed `Service Map` solution as an option to be deployed, as this has been superseded by VM Insights, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) Guidance on migrating and removing the Service Map solution can be found [here.](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-migrate-from-service-map) + +- Due to Microsoft Monitor Agent (MMA) planned for deprecation (August 2024) we have started to remove MMA from our reference implementations starting with the ALZ Portal (https://aka.ms/alz/portal) and following this will start to remove MMA from Bicep and Terraform before the planned deprecation date. Please see [MMA Deprecation Guidance](/docs/wiki/ALZ-AMA-Update.md) for more details. \ No newline at end of file diff --git a/docs/wiki/ALZ-Policies-Extra.md b/docs/wiki/ALZ-Policies-Extra.md new file mode 100644 index 0000000000..7c3cc818a6 --- /dev/null +++ b/docs/wiki/ALZ-Policies-Extra.md @@ -0,0 +1,57 @@ +# ALZ Policies - Extra + +This document describes additional ALZ custom policy definitions and initiatives that are not assigned by default in ALZ, but are provided as they may assist some consumers of ALZ in specific scenarios where they can assign these additional policies to help them meet their objectives. We also provide guidance on how to handle certain situations as some of the policies require additional considerations prior to assigning. + +> For the complete list of Azure Landing Zones custom policies, please use [AzAdvertizer](https://www.azadvertizer.net/azpolicyadvertizer_all.html), and change `type` to `ALZ`. + +## Additional ALZ Custom Policies for consideration + +ALZ provides several additional policies that are not assigned by default but that can be used for specific scenarios should they be required. + +| Policy | Description | Notes | +|------------|-------------|-------------| +| Deny-Appgw-Without-Waf | Application Gateway should be deployed with WAF enabled | Use to ensure Application Gateways are deployed with Web Application Firewall enabled | +| Deny-Private-Dns-Zones | Deny the creation of private DNS | For organizations that centralize core networking functions, use this policy to prevent the creation of additional Private DNS Zones under specific scopes | +| Deny-Subnet-Without-Udr | Subnets should have a User Defined Route | Should you require all network traffic be directed to an appliance for inspection, you can use this policy to ensure UDR is associated with a subnet | +| Deny-Udr-With-Specific-Nexthop | User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied | Refining `Deny-Subnet-Without-Udr` you can ensure non-compliant UDRs are denied (e.g., bypassing a firewall) | +| Deny-Vnet-Peering | Deny vNet peering | Use to prevent vNet peering under specific scopes (e.g., Sandbox management group) | +| Deny-Vnet-Peering-To-Non-Approved-Vnets | Deny vNet peering to non-approved vNets | Use to control vNet peering under specific scopes, like in the Corp management group, only allow peering to the hub vNet. | +| Deploy-Budget | Deploy a default budget on all subscriptions under the assigned scope | Set a default budget for a specific scope, like setting a $500 budget on all subscriptions in the Sandbox management group | +| Deploy-Vnet-Hubspoke | Deploy Virtual Network with peering to the hub | Automatically peer a new virtual network with the hub, for example, in the Corp management group | +| Deploy-Windows-DomainJoin | Deploy Windows Domain Join Extension with Key Vault configuration | Windows Domain Join a virtual machine using domain name and password stored in Key Vault as secrets | + +## 2. ALZ, Workload Specific Compliance and Regulated Industries + +The Azure Landing Zone is designed to be a flexible and scalable solution that can be used by organizations in a variety of industries. However, organizations in regulated industries (FSI, Healthcare, etc.) may need to take additional steps to ensure compliance with industry-specific regulations. These regulations often commonly have a consistent set of controls to cover, like CMK, locking down public endpoints, TLS version enforcement, logging etc. + +To support the additional control requirements of these industries, we're providing the following additional initiatives that enhance the security and compliance posture of the Azure Landing Zone: + +> **Please Note:** These are meant to help customers across all regulated industries (FSI, Healthcare, etc.) and not be aligned to specific regulatory controls, as there are already policy initiatives available for these via [Azure Policy](https://learn.microsoft.com/azure/azure-resource-manager/management/security-controls-policy) & [Microsoft Defender for Cloud](https://learn.microsoft.com/azure/defender-for-cloud/regulatory-compliance-dashboard) + +| Initiative ID | Name | Description | # of Policies | +|------------|-------------|-------------|-------------| +| [Enforce-Guardrails-APIM](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-APIM.html) | Enforce recommended guardrails for API Management | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. | 11 | +| [Enforce-Guardrails-AppServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-AppServices.html) | Enforce recommended guardrails for App Service | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. | 19 | +| [Enforce-Guardrails-Automation](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Automation.html) | Enforce recommended guardrails for Automation Account | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. | 6 | +| [Enforce-Guardrails-CognitiveServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CognitiveServices.html) | Enforce recommended guardrails for Cognitive Services | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-Compute](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Compute.html) | Enforce recommended guardrails for Compute | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. | 2 | +| [Enforce-Guardrails-ContainerApps](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerApps.html) | Enforce recommended guardrails for Container Apps | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | 2 | +| [Enforce-Guardrails-ContainerInstance](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerInstance.html) | Enforce recommended guardrails for Container Instance | This policy initiative is a group of policies that ensures Container Instance is compliant per regulated Landing Zones. | 1 | +| [Enforce-Guardrails-ContainerRegistry](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ContainerRegistry.html) | Enforce recommended guardrails for Container Registry | This policy initiative is a group of policies that ensures Container Registry is compliant per regulated Landing Zones. | 12 | +| [Enforce-Guardrails-CosmosDb](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-CosmosDb.html) | Enforce recommended guardrails for Cosmos DB | This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones. | 6 | +| [Enforce-Guardrails-DataExplorer](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-DataExplorer.html) | Enforce recommended guardrails for Data Explorer | This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones. | 4 | +| [Enforce-Guardrails-DataFactory](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-DataFactory.html) | Enforce recommended guardrails for Data Factory | This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-EventGrid](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-EventGrid.html) | Enforce recommended guardrails for Event Grid | This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones. | 8 | +| [Enforce-Guardrails-EventHub](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-EventHub.html) | Enforce recommended guardrails for Event Hub | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. | 4 | +| [Enforce-Guardrails-KeyVault-Sup](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault-Sup.html) | Enforce additional recommended guardrails for Key Vault | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. This includes additional policies to supplement Enforce-Guardrails-KeyVault, which is assigned by default in ALZ. | 2 | +| [Enforce-Guardrails-Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) | Enforce recommended guardrails for Kubernetes | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. | 16 | +| [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-MySQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MySQL.html) | Enforce recommended guardrails for MySQL | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. | 2 | +| [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) | Enforce recommended guardrails for Network and Networking services | This policy initiative is a group of policies that ensures Network and Networking services is compliant per regulated Landing Zones. | 22 | +| [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Open AI (Cognitive Service) | This policy initiative is a group of policies that ensures Open AI (Cognitive Services) is compliant per regulated Landing Zones. | 6 | +| [Enforce-Guardrails-PostgreSQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-PostgreSQL.html) | Enforce recommended guardrails for PostgreSQL | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. | 1 | +| [Enforce-Guardrails-ServiceBus](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ServiceBus.html) | Enforce recommended guardrails for Service Bus | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. | 4 | +| [Enforce-Guardrails-SQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-SQL.html) | Enforce recommended guardrails for SQL and SQL Managed Instance | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. | 5 | +| [Enforce-Guardrails-Storage](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Storage.html) | Enforce recommended guardrails for Storage Account | This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones. | 22 | +| [Enforce-Guardrails-Synapse](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Synapse.html) | Enforce recommended guardrails for Synapse workspaces | This policy initiative is a group of policies that ensures Synapse is compliant per regulated Landing Zones. | 9 | +| [Enforce-Guardrails-VirtualDesktop](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-VirtualDesktop.html) | Enforce recommended guardrails for Virtual Desktop | This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones. | 2 | diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md new file mode 100644 index 0000000000..d3eaabcf1f --- /dev/null +++ b/docs/wiki/ALZ-Policies-FAQ.md @@ -0,0 +1,92 @@ +# ALZ Policy FAQ and Tips + +## Frequently asked questions about ALZ policies + +There is a lot of change happening for policies in Azure, and by extension ALZ, and we have a number of common issues being raised by our customers and partners. This page is intended to address those issues. + +### ALZ Policies and Initiatives and the escape character + +We've had a number of issues and pull requests submitted specifically around the extra bracket `[` that is present in all policies and initiatives in this repo. + +> NOTE: The policies and initiatives in this repo are NOT intended to be deployed directly in Azure. You cannot copy the definition and deploy the policy directly without editing first. If you want to deploy a specific policy you must first remove the additional leading `[` character from the policy or initiative definition. Alternatively, to deploy a specific policy directly in Azure Policy, please use AzAdvertizer to lookup the policy and use the `copy definition` button to copy a clean version of the policy ready for use (this will remove all the extra `[`). + +The reason for this is that the policies and initiatives in this repo are intended to be used as part of the ALZ deployment process, and are used to generate the ARM templates that are deployed to Azure. The leading `[` character is required to support the generation of the ARM templates. + +### Diagnostic Settings v2 (December 2023) + +There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain. + +At this time, the owners of Azure features/services are reworking their policies to comply with the new diagnostic settings v2 schema (which includes logging categories which is a popular ask). New diagnostics settings policies are landing for Azure services, with dedicated policies depending on the logging target required (Log Analytics, Event Hub or storage accounts). We are working with the product groups to ensure that the policies are updated as soon as possible. + +Check back here for updates, and be sure to bookmark [What's New](https://aka.ms/alz/whatsnew) to see the latest updates to ALZ. + +To view the current list of GitHub issues related to diagnostic settings, please see [this link](https://github.com/Azure/Enterprise-Scale/labels/Area:%20Diagnostic%20Settings). + +> **UPDATE** New built-in Diagnostic Settings policies and initiatives will be landing in early CY2024. As a heads-up we will begin deprecating all our custom diagnostic settings policies, and changing our default assignment to leverage the associated built-in initiative for Log Analytics (as the target) - additional options will include targeting Event Hubs or Storage accounts. + +### Microsoft Monitoring Agent (MMA) Deprecation and Azure Monitor Agent (AMA) (January 2024) + +Similarly, as Microsoft Monitoring Agent (MMA) is on a deprecation path (August 2024), Azure Monitor Agent (AMA) is the recommended replacement and there are a number of requests to support AMA specific policies (**NOTE**: Some features are going agentless thus not requiring an agent, see [Table: AMA parity status](./ALZ-AMA-Update#table-ama-parity-status) following link for more detail). + +**Update January 2024** We have been working on the removal of MMA from ALZ and the first step in the overall removal process is to update the ALZ Portal reference implementation (greenfield deployments) which has now been updated. Our next step is to work on the deployment to Terraform and Bicep reference implementations which requires significant investment to minimise impact to existing customers and providing clear guidance for the transition. For more details please see [Azure Monitor Agent Update](./ALZ-AMA-Update.md). + +### Azure Database for MariaDB (Jan 2024) + +Azure Database for MariaDB is being deprecated, with the retirement process beginning on January 19, 2024. Due to retirement Azure is phasing out MariaDB policies, aligning with a strategic shift to Azure Database for MySQL - Flexible Server. This includes deprecating Azure Landing Zone (ALZ) custom policies 'Diagnostic Settings (Deploy)' and 'Public Endpoint (Deny)' for MariaDB. These policies are becoming redundant with MariaDB's phase-out: + +1. Diagnostic Settings (Deploy) for MariaDB +2. Public Endpoint (Deny) for MariaDB + +**Action for Users:** Users are encouraged to migrate to Azure Database for MySQL - Flexible Server. This migration will involve updating or replacing existing MariaDB-related policies with ones suitable for the MySQL Flexible Server environment. + +For more information on Azure Database for MariaDB, its retirement, and the migration process, visit [What's happening to Azure Database for MariaDB?](https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb). + +### Sovereign Clouds (US Gov and China) + +Numerous GitHub issues related to sovereign clouds are currently within our scope, and our team is actively endeavoring to resolve these concerns. + +Regrettably, due to stringent security requirements inherent in sovereign cloud environments, our team lacks the necessary access privileges to validate policies or authenticate the successful deployment of ALZ. Presently, our access permissions are confined exclusively to the public cloud. + +Given our constraints in conducting direct tests, we are dependent on the invaluable support of the broader community to assist us in identifying potential issues and offering constructive feedback. We intend to respond to issues pertaining to sovereign clouds on an "as soon as possible" basis, deploying our best efforts. However, due to the aforementioned limitations, we are unable to offer precise timelines for issue resolution. + +To view the current list of GitHub issues related to sovereign clouds, please see [this link](https://github.com/Azure/Enterprise-Scale/labels/Area%3A%20Sovereign). + +### Private DNS Zone Issues + +There are a number of issues raised related to private DNS zones not functioning correctly, and in some cases this is due to specific services requiring additional configuration to function correctly. + +Known services causing issues include: + +- VM Guest Configuration ([additional configuration required](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/overview#communicate-over-private-link-in-azure)) - [GitHub Issue](https://github.com/Azure/Enterprise-Scale/issues/1466) +- Power BI ([more info](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-private-links)) - [GitHub Issue](https://github.com/Azure/Enterprise-Scale/issues/1441) + +If you encounter problems with DNS resolution for PaaS services that have Private DNS Zones deployed by ALZ, first verify their necessity. If the services do not require Private Link, or you do not intend to use Private Link for the service, we recommend either disconnecting/unlinking or deleting the private DNS zone from the hub or virtual network for those services. Alternatively, you can follow the specific guidance provided for correctly configuring the resource. + +## Tips & Recommendations + +### Enforcement mode instead of the audit effect + +It is strongly suggested that the enforcement mode be utilized over the audit effect for policies such as deny or deployIfNotExists (DINE). The function of the audit effect primarily serves as a brief, introductory measure to gauge the impending impacts of the policy prior to activating the enforcement mode. This mechanism is not designed to act as a perpetual solution for these categories of policies. + +By modifying the enforcement mode to a "do not enforce" state on a policy or initiative assignment, the enforcement of the effect (deny or DINE) is effectively suspended, while still maintaining the auditing of policy compliance. This strategy is particularly beneficial when seeking to deactivate deny or DINE on a policy or initiative assignment and comes highly recommended for such circumstances. + +For a detailed explanation of this topic, please review [Adopt policy-driven guardrails](https://learn.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance). + +### Deny policies also audit + +Numerous deny policies, constituting a part of the ALZ deployment, inherently carry out an action (i.e., denying the action). Nonetheless, it is critical to recognize that these policies additionally incorporate an auditing capability, particularly for pre-existing resources that remain unremediated or are inherently unremediable in instances of deny policies. + +For instance, consider the policy assignment Deny the deployment of classic resources. While this policy predominantly prevents the deployment of classic resources, it also performs an audit of classic resources that have been previously deployed. This functionality is instrumental in comprehending the extent of the issue at hand and thereby facilitates effective remediation efforts. + +### Unassigned custom policies deployed by ALZ + +ALZ deploys a number of custom policies that are not assigned to any scope by default. There are some very useful policies included that would not necessarily benefit all customers, as there may be dependencies or other decisions needed that would drive the decision to implement them. + +As an example, we provide the [Deploy a default budget on all subscriptions under the assigned scope](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Budget.html) policy that may be useful for managing costs for your subscriptions, e.g., subscriptions under the Sandboxes management group. + +As a starting point reviewing ALZ provided custom policies, we recommend that you review the [ALZ custom policies](https://www.azadvertizer.net/azpolicyadvertizer_all.html#%7B%22col_11%22%3A%7B%22flt%22%3A%22ALZ%22%7D%2C%22col_3%22%3A%7B%22flt%22%3A%22!diag%22%7D%2C%22page_length%22%3A100%7D). This link will show you all the ALZ custom policies that are not diagnostic settings policies. Some of these are assigned to specific scopes or included in initiatives that are assigned, but many are not ([AzAdvertizer](https://www.azadvertizer.net/) is not aware of ALZ policy assignments). + +Alternatively, we highly recommend you run [AzGovViz](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting) against your Azure estate to understand the policies that are assigned to your subscriptions and management groups, and get a tailored report that includes unassigned policies. An example, based on a vanilla ALZ deployment, is shown below: + +![AzGovViz ALZ Policy example](./media/AzGovViz-ALZ-Policy.png) +To get the full list of unassigned ALZ policies, check "# Orphaned Custom Policy definitions" in the report. diff --git a/docs/wiki/ALZ-Policies-Test-Workflow-Sample.md b/docs/wiki/ALZ-Policies-Test-Workflow-Sample.md new file mode 100644 index 0000000000..ce9f56ff2c --- /dev/null +++ b/docs/wiki/ALZ-Policies-Test-Workflow-Sample.md @@ -0,0 +1,83 @@ +# ALZ Policy Testing Workflow Sample + +``` YAML +name: ALZ Tests for Policy + +on: + pull_request: + types: + - opened + - reopened + - synchronize + - ready_for_review + branches: + - main + - TestingFramework # For testing purposes only update as needed based on branch name + paths: + - ".github/workflows/**" + - "tests/policy/**" + - "tests/utils/**" + workflow_dispatch: + inputs: + remarks: + description: "Reason for triggering the workflow run" + required: false + default: "Testing Azure Policies..." + +jobs: + test-alz-policies: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false + + - name: Install PowerShell modules + shell: pwsh + run: | + Install-Module -Name "Az" -RequiredVersion "10.1.0" -Force -Scope CurrentUser -ErrorAction Stop + Update-AzConfig -DisplayBreakingChangeWarning $false + + - name: Azure login (OIDC) + uses: azure/login@v1 + if: ${{ success() && env.AZURE_CLIENT_SECRET == '' }} + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + enable-AzPSSession: true + env: + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + + - name: Azure login (Client Secret) + uses: azure/login@v1 + if: ${{ success() && env.AZURE_CLIENT_SECRET != '' }} + with: + creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' + enable-AzPSSession: true + env: + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + + - name: Pester Test for Policies + shell: pwsh + run: | + Import-Module Pester -Force + $pesterConfiguration = @{ + Run = @{ + Path = "tests/*.tests.ps1" + PassThru = $true + } + Output = @{ + Verbosity = 'Detailed' + CIFormat = 'Auto' + } + } + $result = Invoke-Pester -Configuration $pesterConfiguration + exit $result.FailedCount + env: + SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }} + SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering) + TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} +``` \ No newline at end of file diff --git a/docs/wiki/ALZ-Policies-Testing.md b/docs/wiki/ALZ-Policies-Testing.md new file mode 100644 index 0000000000..50ee3ff52d --- /dev/null +++ b/docs/wiki/ALZ-Policies-Testing.md @@ -0,0 +1,221 @@ +# Azure Landing Zone Policy Testing Framework + +## Overview + +The ALZ Policy Testing Framework is a set of tools and scripts that can be used to test Azure Policies do what is expected and prevent breaking regressions. The framework is designed to be used with pipelines as part of CI/CD processes to test policies as they are developed and integrated to ultimately improve the quality and stability of policies going into production environments. + +This framework is based on the work done by @fawohlsc in this repo [azure-policy-testing](https://github.com/fawohlsc/azure-policy-testing), and is built on the well established PowerShell testing framework [Pester](https://pester.dev/). + +For ALZ, the focus is on testing Azure Policy definitions that have a DENY effect, as these can be very disruptive to organizations if a regression is introduced, and helps us improve the quality of the policies we are developing and deploying to production environments. The framework can be extended to test other policy effects, but this is not the focus of this framework. + +> **_NOTE:_** The ALZ team are considering adding support for testing Azure Policy definitions that use other effects like Audit, DeployIfNotExists. + +For authoring tests we standardized on using Az PowerShell native commands as much as possible as it is simpler to implement and read, however, there are circumstances where you will need to use REST APIs as not all features are exposed through Az PowerShell. To keep things simple, we have leveraged the `Invoke-AzRestMethod` function that wraps the REST API calls and make it easier to use in the Pester tests. + +### Prerequisites + +- An empty (dedicated) Azure subscription + - If following the same process as outlined below, you will also need to ensure this subscription is added to the "Corp" management group in the Azure Landing Zone +- [Pester](https://pester.dev/docs/introduction/installation) +- [Az PowerShell Module](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-11.0.0&viewFallbackFrom=azps-6.2.0) +- [Invoke-AzRestMethod](https://learn.microsoft.com/en-us/powershell/module/az.accounts/invoke-azrestmethod?view=azps-11.0.0) + +### How it works + +The ALZ policy testing framework is designed to be used with GitHub Actions, but can be used with any CI/CD pipeline that supports PowerShell, or can be run directly on an ad hoc basis. The ALZ policy testing framework is designed to be used with the following workflow: + +1. A pull request is created to update a policy definition +2. The pull request triggers a GitHub Action workflow +3. The workflow runs the defined Pester tests against the policy definition +4. The workflow reports the results of the tests back to the pull request checks +5. The pull request is reviewed and handled based on the results of the tests + +### How to use it + +#### 1. Create a new GitHub Action workflow + +Create a new GitHub Action workflow in the `.github/workflows` folder of your repository. The workflow should be triggered on pull request events and should run on the `main` branch. The workflow should also allow being triggered manually to allow for testing of policies outside of pull requests. + +[Sample GitHub Action Workflow to run Policy tests](ALZ-Policies-Test-Workflow-Sample.md) + +#### 2. Create a new Pester test file + +Create a new Pester test file in the `tests/policy` folder of your repository. The test file should be named the same as the policy definition file it is testing, but with a `.tests.ps1` extension. For example, if the policy definition file is named `azurepolicy.json`, the test file should be named `azurepolicy.tests.ps1`. + +#### 3. Write the Pester tests + +Write the Pester tests in the test file. The tests should cover the following scenarios: + +- Conditions that should be true when the policy is evaluated, so it is compliant +- Conditions that should be false when the policy is evaluated, so it is non-compliant + +It is important to test all the conditions evaluated in the policy. For example, if the policy is evaluating the `location` of a resource, you should test the following scenarios: + +- Resource is deployed in a location that is compliant with the policy +- Resource is deployed in a location that is non-compliant with the policy + +See the [How to write Pester tests for policies](#how-to-write-pester-tests-for-policies) section for more details on how to write Pester tests for policies. + +### Where is the testing framework? + +The testing framework is located in the [ALZ repository](https://aka.ms/alz/repo) in the `tests` folder. The framework consists of the following folders: + +- `policy` - Contains the Pester tests for the policies +- `utils` - Contains the utility functions used by the Pester tests + +### How to write Pester tests for policies + +For the purposes of this guide, we'll focus on the Policy test for `Deny-MgmtPorts-Internet` policy as it demonstrates using both Az PowerShell and REST API calls in the Pester test. The policy definition file is located in the `policy` folder of the [ALZ repository](https://aka.ms/alz/repo) in the `policy` folder. + +The policy tests are designed to run in an empty subscription(s) to ensure that the policy is evaluated in isolation and not impacted by other policies or resources in the subscription. + +> **_NOTE:_** Because we are testing Azure policies in the context of Azure Landing Zone, we are using a dedicated subscription in the "Corp" landing zone that is added under the Corp management group, where we retrieve the deployed policy definition ID and create a new policy assignment to test the policy (because we do not assign all policies by default, and some get assigned to different scopes). +> You can extend this methodology to test policies outside of Azure Landing Zone by deploying the policy you want to test and assigning it to the scope you want to test (e.g. subscription, resource group, etc. + +The policy test has 4 main sections (aligned with how Pester works): + +#### BeforeAll: This section is used to setup the environment for the tests. + +```powershell + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-MgmtPorts-From-Internet' } + New-AzPolicyAssignment -Name "TDeny-MgmtPorts-Internet" -Scope $mangementGroupScope -PolicyDefinition $definition -PolicyParameterObject @{ + "ports" = @("3389", "22") + } +``` + +As part of the setup before running the test, we need to ensure we have the correct Azure context set, and that the policy is assigned to the correct scope. Because these steps are running as part of Azure Landing Zone pull request testing, the policies we want to test get deployed prior to running these test. In this case, we retrieve the policy definition and assign it to the management group scope, passing in the policy parameters to ensure the policy is evaluated correctly. + +If you want to extend this methodology to test policies independent of deploying ALZ, you could extend this section to also deploy the policy you want to test, and then do the policy assignment. + +#### DENY - group of tests to validate scenarios that where the policy effect is applied and deployment should fail. + +As an example, using Az PowerShell: + +```Powershell + It "Should deny non-compliant port '3389'" -Tag "deny-noncompliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $networkSecurityGroup = New-AzNetworkSecurityGroup ` + -Name "nsg-test" ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location $ResourceGroup.Location + + # Should be disallowed by policy, so exception should be thrown. + { + $networkSecurityGroup | Add-AzNetworkSecurityRuleConfig ` + -Name RDP-rule ` + -Description "Allow RDP" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 200 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 3389 # Incompliant. + | Set-AzNetworkSecurityGroup + } | Should -Throw "*disallowed by policy*" + } + } +``` + +In this example, we are creating a new Network Security Group (NSG) and adding a rule to allow RDP traffic on port 3389. The policy we're testing is configured to deny traffic on port 3389, so we expect this operation to fail. We use the `Should -Throw` command to validate that the operation failed with the expected error message. + +#### ALLOW - group of tests to validate scenarios that are compliant with the policy conditions and should succeed. + +As an example, using REST API with `Invoke-AzRestMethod`: + +```Powershell + It "Should allow compliant port ranges* - API" -Tag "allow-compliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + #Destination port ranges to test + $portRanges = @("23","3390-3392","8080") + + # Create Payload for NSG + $securityRules = @( + @{ + name = "Web-rule" + properties = @{ + description = "Allow Web2" + protocol = "Tcp" + sourcePortRange = "*" + destinationPortRange = "443" + sourceAddressPrefix = "*" + destinationAddressPrefix = "*" + access = "Allow" + priority = 300 + direction = "Inbound" + } + }, + @{ + name = "Multi-rule" + properties = @{ + description = "Allow Mgmt3" + protocol = "Tcp" + sourcePortRange = "*" + destinationPortRanges = $portRanges + sourceAddressPrefix = "*" + destinationAddressPrefix = "*" + access = "Allow" + priority = 310 + direction = "Inbound" + } + } + ) + + $object = @{ + properties = @{ + securityRules = $securityRules + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Network" ` + -ResourceType "networkSecurityGroups" ` + -Name "testNSG99" ` + -ApiVersion "2022-11-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # NSG created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Not -Throw + } + } +``` + +In this example, we are creating a new Network Security Group (NSG) and adding a rule to allow traffic on port 443. The policy we're testing is configured to deny traffic on port 3389, so we expect this operation to succeed. We use the `Should -Not -Throw` command to validate that the operation succeeded. + +#### AfterAll: This section is used to clean up the environment after the tests are completed. + +```Powershell + Remove-AzPolicyAssignment -Name "TDeny-MgmtPorts-Internet" -Scope $mangementGroupScope -Confirm:$false +``` + +In this example, we are removing the policy assignment after the tests are completed (if you're testing outside of an ALZ deployment, you can also use this to remove the deployed policy). \ No newline at end of file diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 0950a474c1..e72ad4ba06 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -4,15 +4,21 @@ Azure Policy and deployIfNotExist enables autonomy in the platform, and reduces > Please refer to [Policy Driven Governance](https://learn.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance) for further information. +> **IMPORTANT NOTE:** ALZ priority is to provide a secure by default, Zero Trust aligned, configuration, and occasionally we will rely on `-preview` policies in our default assignments to meet our core objective. These preview policies are maintained by the Azure product owners and versioning is not in our control, however, we feel they are sufficiently important to be included in our releases. If the inclusion of preview policies is of concern, please review all ALZ default initiative assignments and remove any `-preview` policies that you are not comfortable with. + +## FAQ and Tips + + We have added a dedicated [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) based on common issues raised or questions asked by customers and partners. + ## Why are there custom policy definitions as part of Azure landing zones? We work with - and learn from our customers and partners to ensure that we evolve and enhance the reference implementations to meet customer requirements. The primary approach of the policies as part of Azure landing zones is to be proactive (deployIfNotExist, and modify), and preventive (deny). We are continuously moving these policies to built-ins. ## What Azure Policies does Azure landing zone provide additionally to those already built-in? -There are around 106 custom Azure Policy Definitions included and around 7 Custom Azure Policy Initiatives included as part of the Azure Landing Zones implementation that add on to those already built-in within each Azure customers tenant. +There are around 114 custom Azure Policy Definitions included and around 12 Custom Azure Policy Initiatives included as part of the Azure Landing Zones implementation that add on to those already built-in within each Azure customers tenant. -All custom Azure Policy Definitions and Initiatives are the same across all 3 implementation options for Azure landing zones; [Terraform Module](https://aka.ms/alz/tf), [Bicep Modules](https://aka.ms/alz/bicep), [Azure landing zone portal accelerator](https://aka.ms/alz#azure-landing-zone-accelerator). +For Azure landing zones, the custom Azure Policy Definitions and Initiatives are consistent across the three implementation options, unless otherwise noted; [Terraform Module](https://aka.ms/alz/tf), [Bicep Modules](https://aka.ms/alz/bicep), [Azure landing zone portal accelerator](https://aka.ms/alz#azure-landing-zone-accelerator). This is because the single source of truth is the [`Enterprise-Scale` repo](https://github.com/Azure/Enterprise-Scale) that both the Terraform and Bicep implementation options pull from to build their `lib` folders respectively. @@ -20,6 +26,10 @@ For a complete list of all custom and built-in policies deployed within an Azure > Our goal is always to try and use built-in policies where available and also work with product teams to adopt our custom policies and make them built-in, which takes time. This means there will always be a requirement for custom policies. +## Why are managed identities deployed as part of the ALZ policies? + +Managed Identities provide an alternative way to access Azure resources without having to manage credentials. They are created as a part of the ALZ policies mainly for policies that have the deployIfNotExists (DINE) effect in this initiative. The managed identities are used in order to remediate resources that are not compliant with the policy. For further information on how remediation works with access control, please refer to the following documentation: [Remediate non-compliant resources - Azure Policy | Microsoft](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#how-remediation-access-control-works) + ## AzAdvertizer Integration We have worked with the creator of [AzAdvertizer](https://www.azadvertizer.net) to integrate all of the custom Azure Policy Definitions and Initiatives as part of Azure landing zones into it to help customers use the tool to look at the policies further in an easy to use tool that is popular in the community. @@ -34,12 +44,14 @@ AzAdvertizer also updates once per day! As part of a default deployment configuration, policy and policy set definitions are deployed at multiple levels within the Azure landing zone Management Group hierarchy as depicted within the below diagram. -![image](./media/MgmtGroups_Policies_v0.1.jpg) +![image](./media/MgmtGroups_Policies_v0.1.svg) The subsequent sections will provide a summary of policy sets and policy set definitions applied at each level of the Management Group hierarchy. > **NOTE**: Although the below sections will define which policy definitions/sets are applied at specific scopes, please remember that policy will inherit within your management group hierarchy. +> For convenience, an Excel version of the below information is available [here](./media/ALZ%20Policy%20Assignments%20v2.xlsx) or click the icon. + ### Intermediate Root This management group is a parent to all the other management groups created within the default Azure landing zone configuration. Policy assignment is predominantly focused on assignment of security and monitoring best practices to ensure compliance and reduced operational overhead. @@ -55,40 +67,65 @@ This management group is a parent to all the other management groups created wit | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **5** | -| `Policy Definitions` | **1** | +| `Policy Definition Sets` | **13** | +| `Policy Definitions` | **3** | The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Intermediate Root Management Group**. -| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version | -| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------- | -| **Deploy Microsoft Defender for Cloud configuration** | **Deploy Microsoft Defender for Cloud configuration** | `Policy Definition Set`, **Custom** | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace | DeployIfNotExists | 3.0.0 | -| **Deploy-Resource-Diag** | **Deploy Diagnostic Settings to Azure Services** | `Policy Definition Set`, **Custom** | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. | DeployIfNotExists | 2.0.0 | -| **Enable Monitoring in Azure Security Center** | **Azure Security Benchmark** | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled | 49.0.0 | -| **Enable Azure Monitor for VMs** | **Enable Azure Monitor for VMs** | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter | DeployIfNotExists, AuditIfNotExists | 2.0.0 | -| **Enable Azure Monitor for Virtual Machine Scale Sets** | **Enable Azure Monitor for Virtual Machine Scale Sets** | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExists, AuditIfNotExists | 1.0.1 | -| **Deploy Diagnostic Settings for Activity Log to Log Analytics workspace** | **Configure Azure Activity logs to stream to specified Log Analytics workspace** | `Policy Definition`, **Built-in** | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists | 1.0.0 | +| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | +| **Deploy Microsoft Defender for Cloud configuration** | **Deploy Microsoft Defender for Cloud configuration** | `Policy Definition Set`, **Custom** | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace | DeployIfNotExists | +| **[Preview]: Deploy Microsoft Defender for Endpoint agent** | **[Preview]: Deploy Microsoft Defender for Endpoint agent** | `Policy Definition Set`, **Built-in** | Deploy Microsoft Defender for Endpoint agent on applicable images. | DeployIfNotExists | +| **Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud** | **Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud** | `Policy Definition Set`, **Built-in** | Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud images. | DeployIfNotExists | +| **Deploy-Diag-Logs** | **Deploy Diagnostic Settings to Azure Services** | `Policy Definition Set`, **Custom** | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. | DeployIfNotExists | +| **Enable Monitoring in Azure Security Center** | **Azure Security Benchmark** | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled | +| **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances** | **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances** | `Policy Definition Set`, **Built-in** | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | +| **Configure Advanced Threat Protection to be enabled on open-source relational databases** | **Configure Advanced Threat Protection to be enabled on open-source relational databases** | `Policy Definition Set`, **Built-in** | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu. | DeployIfNotExists | +| **Deploy Diagnostic Settings for Activity Log to Log Analytics workspace** | **Configure Azure Activity logs to stream to specified Log Analytics workspace** | `Policy Definition`, **Built-in** | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists | +| **Deny the Deployment of Classic Resources** | **Not allowed resource types** | `Policy Definition`, **Built-in** | Denies deployment of classic resource types under the assigned scope | Deny | +| **Audit-UnusedResourcesCostOptimization** | **Audit-UnusedResourcesCostOptimization** | `Policy Definition Set`, **Custom** | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost. | Audit | +| **Audit-TrustedLaunch** | **Audit-TrustedLaunch** | `Policy Definition Set`, **Custom** | Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch. | Audit | +| **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | `Policy Definition`, **Built-In** | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields. | Deny | +| **Deploy Azure Monitor Baseline Alerts for Service Health** | **Deploy Azure Monitor Baseline Alerts for Service Health** | `Policy Definition Set`, **Custom** | Deploys service health alerts, action group and alert processing rule. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists | +| **Resources should be Zone Resilient** | **Resources should be Zone Resilient** | `Policy Definition Set`, **Built-in** | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://aka.ms/AZResilience for more info. | Audit | +| **Resource Group and Resource locations should match** | **Resource Group and Resource locations should match** | `Policy Definition`, **Built-in** | In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains. | Audit | ### Platform -This management group contains all the platform child management groups, like management, connectivity, and identity. There are currently no policies assigned at this management group +This management group contains all the platform child management groups, like management, connectivity, and identity.
Management Group Policy Configuration
-![image](./media/Platform_v0.1.jpg) +![image](./media/Platform_v0.1.svg) | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **10** | | `Policy Definitions` | **0** |
+| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | +| **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Key vaults should have soft delete enabled (Deny)
  • Key vaults should have purge protection enabled (Deny)
  • Key Vault secrets should have an expiration date (Audit)
  • Key Vault keys should have an expiration date (Audit)
  • Azure Key Vault should have firewall enabled (Audit)
  • Certificates should have the specified lifetime action triggers (Audit)
  • Keys should have more than the specified number of days before expiration (Audit < 90 days)
  • Secrets should have more than the specified number of days before expiration (Audit < 90 days)
| Audit, Deny | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | +| **Enable Azure Monitor for VMs**\* | **Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | +| **Enable Azure Monitor for Virtual Machine Scale Sets**\* | **Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | +| **Enable Azure Monitor for Hybrid Virtual Machines**\* | **Enable Azure Monitor for Hybrid VMs with AMA** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | +| **Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.*** | **Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines** | `Policy Definition Set`, **Custom** | With this policy initiative, you can enable automatic OS updates assessment every 24 hours. This is a custom initiative of built-in policies. | Modify | +| **Enable ChangeTracking and Inventory for virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | +| **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | +| **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | +| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | +| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction | + +> \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. + ### Connectivity This management group contains a dedicated subscription for connectivity. This subscription will host the Azure networking resources required for the platform, like Azure Virtual WAN, Azure Firewall, and Azure DNS private zones. Policy assignment is predominantly focused on Azure DDoS Protection. @@ -104,15 +141,16 @@ This management group contains a dedicated subscription for connectivity. This s | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **1** | The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Connectivity Management Group**. -| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version | -| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ------- | -| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify | 1.0.0 | +| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | +| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify | +| **Deploy Azure Monitor Baseline Alerts for Connectivity** | **Deploy Azure Monitor Baseline Alerts for Connectivity** | `Policy Definition Set`, **Custom** | Deploys alerting for connectivity related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Connectivity initiative. | DeployIfNotExists | ### Management @@ -129,15 +167,17 @@ This management group contains a dedicated subscription for management, monitori | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **1** | The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Management Management Group**. -| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version | -| ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- | -| **Deploy-Log-Analytics** | **Configure Log Analytics workspace and automation account to centralize logs and monitoring** | `Policy Definition`, **Built-in** | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. | DeployIfNotExists | 2.0.0 | +| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| **Deploy-Log-Analytics** | **Configure Log Analytics workspace and automation account to centralize logs and monitoring** | `Policy Definition`, **Built-in** | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Management** | **Deploy Azure Monitor Baseline Alerts for Management** | `Policy Definition Set`, **Custom** | Deploys alerting for management related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Management initiative. | DeployIfNotExists | + ### Identity @@ -154,18 +194,19 @@ This management group contains a dedicated subscription for identity. This subsc | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **4** | The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Identity Management Group**. -| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version | -| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- | +| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | | **Deny the creation of public IP** | **Not allowed resource types** | `Policy Definition`, **Built-in** | This policy denies creation of Public IPs under the assigned scope. Single parameter value for `listOfResourceTypesNotAllowed` which is `Microsoft.Network/publicIPAddresses` | Deny | 1.0.0 | -| **RDP access from the Internet should be blocked** | **RDP access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows RDP access from Internet. | Deny | 1.0.0 | -| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | 2.0.0 | -| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. | DeployIfNotExists | 8.0.0 | +| **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny | +| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | +| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Identity** | **Deploy Azure Monitor Baseline Alerts for Identity** | `Policy Definition Set`, **Custom** | Deploys alerting for identity related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Identity initiative. | DeployIfNotExists | ### Landing Zones @@ -182,27 +223,43 @@ This is the parent management group for all the landing zone child management gr | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **1** | -| `Policy Definitions` | **12** | +| `Policy Definition Sets` | **13** | +| `Policy Definitions` | **15** | The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**. -| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version | -| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ------- | -| **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | 1.0.0 | -| **RDP access from the Internet should be blocked** | **RDP access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows RDP access from Internet | Deny | 1.0.0 | -| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | 2.0.0 | -| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny | 1.0.0 | -| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit | 2.0.0 | -| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists | 4.0.0 | -| **Auditing on SQL server should be enabled** | **Auditing on SQL server should be enabled** | `Policy Definition`, **Built-in** | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists | 2.0.0 | -| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | 2.1.0 | -| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. | DeployIfNotExists | 8.0.0 | -| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection . | Modify | 1.0.0 | -| **Kubernetes cluster should not allow privileged containers** | **Kubernetes cluster should not allow privileged containers** | `Policy Definition`, **Built-in** | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | 7.2.0 | -| **Kubernetes clusters should not allow container privilege escalation** | **Kubernetes clusters should not allow container privilege escalation** | `Policy Definition`, **Built-in** | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Audit | 4.2.0 | -| **Kubernetes clusters should be accessible only over HTTPS** | **Kubernetes clusters should be accessible only over HTTPS** | `Policy Definition`, **Built-in** | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | 6.1.0 | +| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | +| **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | +| **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Key vaults should have soft delete enabled (Deny)
  • Key vaults should have purge protection enabled (Deny)
  • Key Vault secrets should have an expiration date (Audit)
  • Key Vault keys should have an expiration date (Audit)
  • Azure Key Vault should have firewall enabled (Audit)
  • Certificates should have the specified lifetime action triggers (Audit)
  • Keys should have more than the specified number of days before expiration (Audit < 90 days)
  • Secrets should have more than the specified number of days before expiration (Audit < 90 days)
| Audit, Deny | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | +| **Enforce Azure Compute Security Benchmark compliance auditing** | **Enforce Azure Compute Security Benchmark compliance auditing** | `Policy Definition Set`, **Custom** | This policy initiative enables Azure Compute Security Basline compliance auditing for Windows and Linux virtual machines. | AuditIfNotExists | +| **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny | +| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | +| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny | +| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit | +| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists | +| **Configure SQL servers to have auditing enabled to Log Analytics workspace** | **Configure SQL servers to have auditing enabled to Log Analytics workspace** | `Policy Definition`, **Built-in** | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists | +| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | +| **Deploy TDE on SQL servers** | **Deploy TDE on SQL servers** | `Policy Definition`, **Built-in** | This policy ensures that Transparent Data Encryption is enabled on SQL Servers | DeployIfNotExists | +| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. | DeployIfNotExists | +| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection . | Modify | +| **Kubernetes cluster should not allow privileged containers** | **Kubernetes cluster should not allow privileged containers** | `Policy Definition`, **Built-in** | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | +| **Kubernetes clusters should not allow container privilege escalation** | **Kubernetes clusters should not allow container privilege escalation** | `Policy Definition`, **Built-in** | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Audit | +| **Kubernetes clusters should be accessible only over HTTPS** | **Kubernetes clusters should be accessible only over HTTPS** | `Policy Definition`, **Built-in** | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | +| **Web Application Firewall (WAF) should be enabled for Application Gateway** | **Web Application Firewall (WAF) should be enabled for Application Gateway** | `Policy Definition`, **Built-in** | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit | +| **Deploy Azure Monitor Baseline Alerts for Landing Zone**\* | **Deploy Azure Monitor Baseline Alerts for Landing Zone** | `Policy Definition Set`, **Custom** | Deploys alerting for landing zone related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Enable Azure Monitor for VMs**\* | **Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | +| **Enable Azure Monitor for Virtual Machine Scale Sets**\* | **Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | +| **Enable Azure Monitor for Hybrid Virtual Machines**\* | **Enable Azure Monitor for Hybrid VMs with AMA** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | +| **Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.**\* | **Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines** | `Policy Definition Set`, **Custom** | With this policy initiative, you can enable automatic OS updates assessment every 24 hours. This is a custom initiative of built-in policies. | Modify | +| **Enable ChangeTracking and Inventory for virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | +| **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | +| **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | +| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | + +> \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. ### Corp @@ -225,13 +282,13 @@ This management group is for corporate landing zones. This group is for workload The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Corp Management Group**. -| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version | -| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | ------- | -| **Public network access should be disabled for PaaS services** | **Public network access should be disabled for PaaS services** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | Deny | 1.0.0 | -| **Configure Azure PaaS services to use private DNS zones** | **Configure Azure PaaS services to use private DNS zones** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | DeployIfNotExists | 1.0.0 | -| **Prevent usage of Databricks with public IP** | **Deny public IPs for Databricks cluster** | `Policy Definition`, **Custom** | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. | Deny | 1.0.0 | -| **Enforces the use of Premium Databricks workspaces** | **Deny non-premium Databricks sku** | `Policy Definition`, **Custom** | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. | Deny | 1.0.0 | -| **Enforces the use of vnet injection for Databricks** | **Deny Databricks workspaces without Vnet injection** | `Policy Definition`, **Custom** | Enforces the use of vnet injection for Databricks workspaces. | Deny | 1.0.0 | +| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | +| **Public network access should be disabled for PaaS services** | **Public network access should be disabled for PaaS services** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | Deny | +| **Configure Azure PaaS services to use private DNS zones** | **Configure Azure PaaS services to use private DNS zones** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | DeployIfNotExists | +| **Deny network interfaces having a public IP associated** | **Network interfaces should not have public IPs** | `Policy Definition`, **Built-in** | This policy denies network interfaces from having a public IP associated to it under the assigned scope. | Deny | +| **Deny the deployment of vWAN/ER/VPN gateway resources** | **Not allowed resource types** | `Policy Definition`, **Built-in** | Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone. | Deny | +| **Audit Private Link Private DNS Zone resources** | **Audit the creation of Private Link Private DNS Zones** | `Policy Definition`, **Custom** | Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone. | Audit | ### Online @@ -254,42 +311,50 @@ This management group is for online landing zones. This group is for workloads t ### Decommissioned -This management group is for landing zones that are being cancelled. Cancelled landing zones will be moved to this management group before deletion by Azure after 30-60 days. There are currently no policies assigned at this management group. +This management group is for landing zones that are being cancelled. Cancelled landing zones will be moved to this management group before deletion by Azure after 30-60 days.
Management Group Policy Configuration
-![image](./media/Decom_v0.1.jpg) +![image](./media/Decom_v0.1.svg) | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **0** |
+| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | +| **Enforce ALZ Decommissioned Guardrails** | **Enforce policies in the Decommissioned Landing Zone** | `Policy Definition Set`, **Custom** | This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. Policies included:
  • Deny the deployment of new resources
  • Deploy an auto VM shutdown policy at UTC 00:00
| Enforce | + ### Sandbox -This management group is for subscriptions that will only be used for testing and exploration by an organization. These subscriptions will be securely disconnected from the corporate and online landing zones. Sandboxes also have a less restrictive set of policies assigned to enable testing, exploration, and configuration of Azure services. There are currently no policies assigned at this management group. +This management group is for subscriptions that will only be used for testing and exploration by an organization. These subscriptions will be securely disconnected from the corporate and online landing zones. Sandboxes also have a less restrictive set of policies assigned to enable testing, exploration, and configuration of Azure services.
Management Group Policy Configuration
-![image](./media/Sandbox_v0.1.jpg) +![image](./media/Sandbox_v0.1.svg) | **Policy Type** | **Count** | | :--- | :---: | -| `Policy Definition Sets` | **0** | +| `Policy Definition Sets` | **1** | | `Policy Definitions` | **0** |
+| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | +| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | +| **Enforce ALZ Sandbox Guardrails** | **Enforce policies in the Sandbox Landing Zone** | `Policy Definition Set`, **Custom** | This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. Policies included:
  • Deny vNET peering across subscriptions
  • Deny the deployment of vWAN/ER/VPN gateways.
| Enforce | + ### Versioning Each policy definition and initiative contains a version in its metadata section: @@ -305,6 +370,7 @@ Each policy definition and initiative contains a version in its metadata section ] } ``` +To track and review policy and initiative versions, please refer to [AzAdvertizer](https://www.azadvertizer.net/index.html). This version is incremented according to the following rules (subject to change): - **Major Version** (**1**.0.0) @@ -341,13 +407,37 @@ This version is incremented according to the following rules (subject to change) This section aims to explain what it means when a built-in policy has a state of ‘preview’ or ‘deprecated’. -Policies can be in preview because a property (alias) referenced in the policy definition is in preview, or the policy is newly introduced and would like additional customer feedback. A policy may get deprecated when the property (alias) becomes deprecated & not supported in the resource type's latest API version, or when there is manual migration needed by customers due to a breaking change in a resource type's latest API version. +Policies can be in preview because a property (alias) referenced in the policy definition is in preview, or the policy is newly introduced and would like additional customer feedback. A policy may get deprecated when the property (alias) becomes deprecated & not supported in the resource type's latest API version, or when there is manual migration needed by customers due to a breaking change in a resource type's latest API version. When a policy gets deprecated or gets out of preview, there is no impact on existing assignments. Existing assignments continue to work as-is. The policy is still evaluated & enforced like normal and continues to produce compliance results. -Here are the changes that occur when a policy gets deprecated: -- Display name is appended with ‘[Deprecated]:’ prefix, so that customers have awareness to migrate or delete the policy. -- Description gets updated to provide additional information regarding the deprecation. -- The version number is updated with ‘-deprecated’ suffix. (see [Policy Versioning](#versioning) above) +Here are the changes that occur when a policy gets deprecated: + +- Display name is appended with ‘[Deprecated]: ’ prefix, so that customers have awareness to migrate or delete the policy. +- Description gets updated to provide additional information regarding the deprecation with a link to the superseding policy. +- Add `supersededBy` metadata property to the policy definition with the name of the superseding policy. +- Add `deprecated` metadata property to the policy definition with value set to `true`. +- The version number is updated with ‘-deprecated’ suffix. (see [Policy Versioning](#versioning) above). + +Example (policy snippet of deprecated policy): + +```json + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-vulnerabilityAssessments_20230706", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + } +``` > **NOTE:** The `name` value must not change in the file through deprecation or preview. diff --git a/docs/wiki/ALZ-Resource-Provider-Recommendations.md b/docs/wiki/ALZ-Resource-Provider-Recommendations.md new file mode 100644 index 0000000000..977523f0ac --- /dev/null +++ b/docs/wiki/ALZ-Resource-Provider-Recommendations.md @@ -0,0 +1,52 @@ + +# ALZ Azure Resource Provider Recommendations + + +## What are Resource Providers in Azure? + +An Azure resource provider is a set of REST operations that enable functionality for a specific Azure service. For example, the Key Vault service consists of a resource provider named **Microsoft.KeyVault**. The resource provider defines [REST operations](https://learn.microsoft.com/rest/api/keyvault/) for managing vaults, secrets, keys, and certificates. + +To deploy a resource in Azure, you must ensure your Azure subscription is registered for the resource provider that is associated with that resource. Registration configures your subscription to work with the resource provider. You can view a list of all resource providers in Azure by service [here](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers#registration). Learn how to view all your resource providers in the portal [here](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types#view-resource-provider). + +## Default Resource Providers + +Some resource providers are turned on by Azure by default on all subscriptions during time of subscription creation and are not possible to unregister. Some examples are Microsoft.SerialConsole, Microsoft.Authorization, and Microsoft.Consumption. You can view a list of providers turned on by default by service [here](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers#registration). Resource providers marked with **- registered by default** in the tables are automatically registered for your subscription, and you do not need to worry about them. + +## Resource Providers for Enterprise-Scale ALZ Deployment (Empty Subscriptions) + +To successfully deploy an Enterprise-Scale with a predefined [template](https://aka.ms/caf/ready/accelerator), along with ensuring other [prerequisites](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-Pre-requisites) are complete, ensure these Resource Providers are [registered](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types) in ALL subscriptions associated with your new Landing Zone: + +* microsoft.insights +* Microsoft.AlertsManagement +* Microsoft.OperationalInsights +* Microsoft.OperationsManagement +* Microsoft.Automation +* Microsoft.AlertsManagement +* Microsoft.Security +* Microsoft.Network +* Microsoft.EventGrid +* Microsoft.ManagedIdentity +* Microsoft.GuestConfiguration +* Microsoft.Advisor +* Microsoft.PolicyInsights + +This list of RPs is all you need to deploy Enterprise Scale for EMPTY subscriptions (only resources listed in the template). If you want to deploy additional resources, please ensure the RPs for those resources are also registered. + +Most of the time, if they are not registered prior, Azure should automatically register them for you. However, in some cases, deployment fails if the proper Resource Providers are not registered. + +# Additional Recommended Resource Providers to Register (for common resources) + +Some other common Resource Providers to consider having registered in your subscriptions for resources you may deploy are: + +* Microsoft.Compute +* Microsoft.Storage +* Microsoft.ResourceHealth +* Microsoft.KeyVault +* Microsoft.Sql +* Microsoft.Capacity +* Microsoft.ManagedServices +* Microsoft.Management +* Microsoft.SecurityInsights +* Microsoft.Blueprint +* Microsoft.Cache +* Microsoft.RecoveryServices diff --git a/docs/wiki/ALZ-Setup-aad-permissions.md b/docs/wiki/ALZ-Setup-aad-permissions.md index ba1c300588..ee1bfc6af8 100644 --- a/docs/wiki/ALZ-Setup-aad-permissions.md +++ b/docs/wiki/ALZ-Setup-aad-permissions.md @@ -1,16 +1,16 @@ -# Configure Azure Active Directory permissions for Service Principal +# Configure Microsoft Entra ID permissions for Service Principal -This article will guide you through the process to add your AzOps service principal to the Azure Active Directory [Directory Readers](https://learn.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) role. +This article will guide you through the process to add your AzOps service principal to the Microsoft Entra ID [Directory Readers](https://learn.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) role. -> Note: The steps below requires you to use an identity that is local to the Azure AD, and **_not_** a Guest user account due to known restrictions. +> Note: The steps below requires you to use an identity that is local to the Microsoft Entra ID, and **_not_** a Guest user account due to known restrictions. -The service principal used by the Enterprise-Scale reference implementation requires Azure AD directory reader permissions to be able to discover Azure role assignments. These permissions are used to enrich data around the role assignments with additional Azure AD context such as ObjectType and Azure AD Object DisplayName. +The service principal used by the Enterprise-Scale reference implementation requires Microsoft Entra directory reader permissions to be able to discover Azure role assignments. These permissions are used to enrich data around the role assignments with additional Microsoft Entra context such as ObjectType and Microsoft Entra Object DisplayName. ## Add service principal to directory role via Azure Portal (Option 1) -1.1 Sign in to the Azure portal or the Azure Active Directory admin center as a Global Administrator. If you are using Azure AD Privileged Identity Management, activate your Global Administrator role assignment. +1.1 Sign in to the Azure portal or the Microsoft Entra admin center as a Global Administrator. If you are using Microsoft Entra Privileged Identity Management, activate your Global Administrator role assignment. -1.2 Open Azure Active Directory. +1.2 Open Microsoft Entra ID. 1.3 Under _Manage_ > _Roles and administrators_, select _Directory readers_. ![alt](./media/aad-rolesandadministrators.png) @@ -19,11 +19,11 @@ The service principal used by the Enterprise-Scale reference implementation requ ![alt](./media/directory-reader.png) -> Note: In case you are using Azure AD Privileged Identity management, ensure you add the service principal to the role with a permanent assignment. +> Note: In case you are using Microsoft Entra Privileged Identity management, ensure you add the service principal to the role with a permanent assignment. ## Add service principal to directory role with Azure AD PowerShell (Option 2) -Ensure that you have the [AzureAD PowerShell module installed on your machine](https://learn.microsoft.com/powershell/module/azuread/?view=azureadps-2.0) and that you have connected to Azure AD with the [Connect-AzureAD](https://learn.microsoft.com/powershell/module/azuread/connect-azuread?view=azureadps-2.0) cmdlet. +Ensure that you have the [AzureAD PowerShell module installed on your machine](https://learn.microsoft.com/powershell/module/azuread/?view=azureadps-2.0) and that you have connected to Microsoft Entra ID with the [Connect-AzureAD](https://learn.microsoft.com/powershell/module/azuread/connect-azuread?view=azureadps-2.0) cmdlet. ````powershell @@ -49,14 +49,14 @@ if (-not (Get-AzureADServicePrincipal -Filter "DisplayName eq '$ADServicePrincip else { Write-Host "$ADServicePrincipal exist" -ForegroundColor 'Green' $ServicePrincipal = Get-AzureADServicePrincipal -Filter "DisplayName eq '$ADServicePrincipal'" - #Get Azure AD Directory Role + #Get Microsoft Entra Directory Role $DirectoryRole = Get-AzureADDirectoryRole -Filter "DisplayName eq 'Directory Readers'" #Add service principal to Directory Role Add-AzureADDirectoryRoleMember -ObjectId $DirectoryRole.ObjectId -RefObjectId $ServicePrincipal.ObjectId } ```` -Please note, it may take up to 15-30 minutes for permission to propagate in Azure AD. +Please note, it may take up to 15-30 minutes for permission to propagate in Microsoft Entra ID. ## Next steps diff --git a/docs/wiki/ALZ-Setup-azure.md b/docs/wiki/ALZ-Setup-azure.md index 5a3b4aad40..729a033833 100644 --- a/docs/wiki/ALZ-Setup-azure.md +++ b/docs/wiki/ALZ-Setup-azure.md @@ -2,19 +2,19 @@ This article will guide you through the process of configuring permissions in your Azure environment to enable ARM tenant level deployments. -> Note: The steps below require you to use an identity that is local to the Azure AD, and **_not_** Guest user account due to known restrictions. +> Note: The steps below require you to use an identity that is local to the Microsoft Entra ID, and **_not_** Guest user account due to known restrictions. -Enterprise-Scale reference implementation requires permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory. +Enterprise-Scale reference implementation requires permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "Microsoft Entra Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory. Once the User Access Administrator (UAA) role is enabled, a UAA can grant **_other users and service principals_** within organization to deploy/manage Enterprise-Scale reference implementation by granting "Owner" permission at tenant root scope "/". -Once permission is granted to other **users and service principals**, you can safely disable "User Access Administrator" permission for the "AAD Global Administrator" users. For more information please follow this article [elevated account permissions](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) +Once permission is granted to other **users and service principals**, you can safely disable "User Access Administrator" permission for the "Microsoft Entra Global Administrator" users. For more information please follow this article [elevated account permissions](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) ## 1. Elevate Access to manage Azure resources in the directory -1.1 Sign in to the Azure portal or the Azure Active Directory admin center as a Global Administrator. If you are using Azure AD Privileged Identity Management, activate your Global Administrator role assignment. +1.1 Sign in to the Azure portal or the Microsoft Entra admin center as a Global Administrator. If you are using Microsoft Entra Privileged Identity Management, activate your Global Administrator role assignment. -1.2 Open Azure Active Directory. +1.2 Open Microsoft Entra ID. 1.3 Under _Manage_, select _Properties_. ![alt](https://learn.microsoft.com/azure/role-based-access-control/media/elevate-access-global-admin/azure-active-directory-properties.png) @@ -25,7 +25,7 @@ Once permission is granted to other **users and service principals**, you can sa ## 2. Grant Access to User and/or Service principal at root scope "/" to deploy Enterprise-Scale reference implementation -Please ensure you are logged in as a user with UAA role enabled in AAD tenant and logged in user is not a guest user. +Please ensure you are logged in as a user with UAA role enabled in Microsoft Entra tenant and logged in user is not a guest user. Bash @@ -41,7 +41,7 @@ az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az a #(optional) assign Owner role at Tenant root scope ("/") as a User Access Administrator to service principal (set spn_displayname to your service principal displayname) spn_displayname='' -az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad sp list --display-name $spn_displayname --query '[].{objectId:objectId}' -o tsv) --assignee-principal-type ServicePrincipal +az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad sp list --display-name "$spn_displayname" --query '[].id' -o tsv) --assignee-principal-type ServicePrincipal ```` PowerShell diff --git a/docs/wiki/Community-Calls.md b/docs/wiki/Community-Calls.md index 15df780c78..0c3121d953 100644 --- a/docs/wiki/Community-Calls.md +++ b/docs/wiki/Community-Calls.md @@ -1,6 +1,11 @@ ## In this Section - [In this Section](#in-this-section) +- [June 2024](#12th-june-2024-12062024) +- [March 2024](#11th-march-2024-11032024) +- [December 2023](#6th-december-2023-06122023) +- [September 2023](#25th-september-2023-25092023) +- [April 2023](#27th-april-2023-27042023) - [January 2023](#31st-january-2023-31012023) - [May 2022](#2nd-may-2022-02052022) - [November 2021](#17th-november-2021-17112021) @@ -8,10 +13,60 @@ --- -On this page you will find the meeting recordings and PowerPoint slides from previous Enterprise Scale Community Calls +On this page you will find the meeting recordings and PowerPoint slides from previous Azure Landing Zone External Community Calls. To sign-up to the next Azure Landing Zone External Community Call, head to: [https://aka.ms/alz/communitycallregister](https://aka.ms/alz/communitycallregister) > Short link to this page is [aka.ms/alz/community](https://aka.ms/alz/community) +## 12th June 2024 (12/06/2024) + +### Recording + +[![Screenshot of Azure Landing Zones Community Call from June 2024 recording on YouTube](./media/community-calls/june-2024/youtube-thumbnail.png)](https://youtu.be/m4_peeUdZoY?si=PNS8ySiC-bWCSs83) + +### Slides + +A PDF of the PowerPoint slides is available [here.](./media/community-calls/june-2024/ALZ-Community-Call-12062024.pdf) + +## 11th March 2024 (11/03/2024) + +### Recording + +[![Screenshot of Azure Landing Zones Community Call from March 2024 recording on YouTube](./media/community-calls/march-2024/youtube-thumbnail.png)](https://youtu.be/KNJ0J4jkD7M?si=iOSrP-_uLoB0VW0t) + +### Slides + +A PDF of the PowerPoint slides is available [here.](./media/community-calls/march-2024/ALZ-Community-Call-11032024.pdf) + +## 6th December 2023 (06/12/2023) + +### Recording + +[![Screenshot of Azure Landing Zones Community Call from December 2023 recording on YouTube](./media/community-calls/dec-2023/youtube-screenshot.png)](https://youtu.be/E3Pz_VcefZ4?si=3tx8ZZUfFq9-WyF0) + +### Slides + +A PDF of the PowerPoint slides is available [here.](./media/community-calls/dec-2023/ALZ-Community-Call-06122023.pdf) + +## 25th September 2023 (25/09/2023) + +### Recording + +[![Screenshot of Azure Landing Zones Community Call from September 2023 recording on YouTube](./media/community-calls/sept-2023/youtube-screenshot.png)](https://youtu.be/z8Ez1wt66FE) + +### Slides + +A PDF of the PowerPoint slides is available [here.](./media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf) + +## 27th April 2023 (27/04/2023) + +### Recording + +[![Screenshot of Azure Landing Zones Community Call from April 2023 recording on YouTube](./media/community-calls/april-2023/alz-april-2023-youtube-screenshot.png)](https://youtu.be/gtKMOefcliQ) + +### Slides + +A PDF of the PowerPoint slides is available [here.](./media/community-calls/april-2023/ALZ-Community-Call-27-04-2023.pdf) + ## 31st January 2023 (31/01/2023) ### Recording @@ -50,4 +105,4 @@ A PDF of the PowerPoint slides is available [here.](./media/community-calls/nov- ### Slides -A PDF of the PowerPoint slides is available [here.](./media/community-calls/aug-2021/ESLZ-Community-Call-25082021.pdf) \ No newline at end of file +A PDF of the PowerPoint slides is available [here.](./media/community-calls/aug-2021/ESLZ-Community-Call-25082021.pdf) diff --git a/docs/wiki/Create-Landingzones.md b/docs/wiki/Create-Landingzones.md index 5ff795bfa2..4214fc8280 100644 --- a/docs/wiki/Create-Landingzones.md +++ b/docs/wiki/Create-Landingzones.md @@ -1,230 +1,18 @@ -## In this Section +## Create landing zones (subscriptions) via Subscription Vending -- [In this Section](#in-this-section) -- [Create landing zones (subscription) using AzOps](#create-landing-zones-subscription-using-azops) -- [Pre-requisites](#pre-requisites) -- [Enable Service Principal to create landing zones](#enable-service-principal-to-create-landing-zones) -- [ARM template repository](#arm-template-repository) -- [Create a new landing zone (subscriptions)](#create-a-new-landing-zone-subscriptions) +The approach of "Subscription Vending", materializes and standardizes the ALZ "Subscription Democratization" Design Principle, by formulating a process for requesting, deploying and governing Azure Subscriptions, and by doing so enabling the Applications Teams to onboard their workloads in a fast, yet deterministic way. ---- +For further details, one can look into the following articles: +- [Deploy Azure landing zones (Subscription Vending)](https://learn.microsoft.com/azure/architecture/landing-zones/landing-zone-deploy#subscription-vending) +- [Subscription vending implementation guidance](https://learn.microsoft.com/azure/architecture/landing-zones/subscription-vending) -## Create landing zones (subscription) using AzOps +The respective Bicep and Terraform automation / IaC Modules for Subscription Vending, can be found in: -Managing all the platform resources in a a single repository is one of the guiding principle for PlatformOps to manage the platform. Subscriptions representing landing zones are resource types manage by the PlatformOps team. As every other platform resource type subscriptions are created using the ARM API. For Subscriptions the API and versions vary and depend on the commercial contract. +- [Bicep Subscription Vending](https://github.com/Azure/bicep-lz-vending) +- [Terraform Subscription Vending](https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest) + +More broader information on programmatical creation of Azure Subscriptions (EA/MCA/MPA) via the latest APIs, can be found on the following articles: - [Enterprise Enrollment (EA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement) - [Microsoft Customer Agreement (MCA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement) - [Microsoft Partner Agreement (MPA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-partner-agreement) - -This article describes the flow to create subscriptions/landing zones in an Enterprise Enrollment (EA). Natively in Azure, *enrollment owner* have the permission to create and own subscriptions. *Enrollment owners* are user identities in Azure AD and in order to create subscriptions in an fully automated process the permission to create subscription need to be delegate to a Service Principal (SPN) or Managed Service Identity (MSI). - -One of the benefits using this approach is the management of platform security and governance in a single place and built into the platform repository and pipeline(s). - -## Pre-requisites - -Before getting started with this first steps ensure that AzOps has been [setup and configured for the target environment](./Deploying-Enterprise-Scale#validation-post-deployment-github). In this documentation the same Service Principal will be used to to assign the permission to create landing zones (subscription). - -For the Service Principal permissions to create subscriptions, access to an *enrollment account* that has a billing id associated is required. - ->Note: When using this Service Principal the subscription will be created under specified billing scope of *enrollment account*. Multiple enrollment account permissions can be granted to a Service Principal. The billing scope will be specified in the ARM template during the subscription creation process. - -Creating Azure subscriptions programmatically is allowed on specific types of Azure agreement types (EA, MCA, MPA). Refer to guidance on [Creating Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription) to know supported agreement types. - -## Enable Service Principal to create landing zones - -This section describes how AzOps is used to create subscriptions (landing zones) under management groups using ARM templates. In the following steps the *Enrollment account subscription creator* role will be assigned to a SPN as illustrated in the following article: - -![EA account / Service Principal](./media/ea-account-spn.png) - -**Login and fetch access token** -Login with the *enrollment account* (e.g. with `Login-AzAccount`) and execute the following commands to fetch a valid access token for the account: - -```powershell -# Provide the objectId of the AzOps service principal to grant access to enrolment account. -$spnObjectId = (Get-AzADServicePrincipal -DisplayName "MyAzOpsSPN").Id - -# Fetching new token -$token = Get-AzAccessToken -``` - -**List all the billing accounts and enrollment accounts** -As a next step, list and identify the "billing account" and *enrollment account* the user has access to. These two information are required to request the roles available and to assign the permissions to the Service Principal. - -The following scripts lists the *billing account* and "enrollment account" and assigns it to a variables which will be used later in this guide. - -```powershell -# Request billing accounts that the identity has access to -$listOperations = @{ - Uri = "https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01" - Headers = @{ - Authorization = "Bearer $($token.Token)" - 'Content-Type' = 'application/json' - } - Method = 'GET' -} -$listBillingAccount = Invoke-RestMethod @listOperations - -# List billing accounts -$listBillingAccount | ConvertTo-Json -Depth 100 - -# Select first billing account and the corresponding enrollment account -$billingAccount = $listBillingAccount.value[0].id -$enrollmentAccountId = $listBillingAccount.value[0].properties.enrollmentAccounts[0].id -``` - -**Read existing role definitions for the enrolment account** -Multiple role definitions exists on an *enrollment account*. When this article was written the following role definitions exist: - -| Role name | ID | -| :-------------------------------------- | :----------------------------------- | -| Enrollment account owner | c15c22c0-9faf-424c-9b7e-bd91c06a240b | -| Enrollment account subscription creator | a0bcee42-bf30-4d1b-926a-48d21664ef71 | - -Both role definitions have the `Microsoft.Subscription/subscriptions/write` permission required to create subscriptions. *Enrollment account subscription creator* can be assigned to a Service Principal. - -```powershell -# Get billing roleDefinitions available at scope -$listRbacObj = @{ - Uri = "https://management.azure.com/$($enrollmentAccountId)/billingRoleDefinitions?api-version=2019-10-01-preview" - Headers = @{ - Authorization = "Bearer $($token.Token)" - 'Content-Type' = 'application/json' - } - Method = "GET" -} -$listRbac = Invoke-WebRequest @listRbacObj -$listRbac.Content | ConvertFrom-Json | ConvertTo-Json -Depth 100 -``` - -**Assign permission (role assignment)** -As a last step the Service Principal will be granted access to the *enrolment account* by assigning a role with the `Microsoft.Subscription/subscriptions/write` permission. Built-in role *Enrollment account subscription creator (GUID: a0bcee42-bf30-4d1b-926a-48d21664ef71)* is required. - -```powershell -# roledefinitonId (billingRoleDefinitions) has be equal to the role id of the "enrollment account subscription creator" role listed in the rbacContent object -$roleAssignmentBody = @" -{ - "properties": { - "principalId": "$($spnObjectId)", - "roleDefinitionId": "$($enrollmentAccountId)/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71" - } -} -"@ - -# Generate new GUID for the role assignment -$rbacGuid = New-Guid - -# Assign 'Enrollment account subscription creator' role to the SPN -$assignRbac = @{ - Uri = "https://management.azure.com/$($enrollmentAccountId)/billingRoleAssignments/$($rbacGuid)?api-version=2019-10-01-preview" - Headers = @{ - Authorization = "Bearer $($token.Token)" - 'Content-Type' = 'application/json' - } - Method = "PUT" - Body = $roleAssignmentBody - UseBasicParsing = $true -} -$assignedRbac = Invoke-RestMethod @assignRbac -``` - -After the role is successfully assigned Service Principal can be used to create subscriptions (landing zones). - ->Note: The Service Principal can be granted access to multiple *enrolment accounts*. To enable this, execute this sequence multiple times (once per *enrollment account*). - -## ARM template repository - -PlatformOps will use AzOps CI/CD pipelines to create subscriptions (landing zones) before handing it out to application teams. [Steps below](#create-a-subscription-landing-zone-using-azops) will use this approach to create a subscription. - ->Hint: Different examples are published in the Enterprise-Scale repository to automate landing zone creation [here](https://github.com/Azure/Enterprise-Scale/tree/main/examples/landing-zones). - -## Create a new landing zone (subscriptions) - -Creating a landing zone (subscription) is as simple as creating any other resource in Azure. The same sequence of steps will be needed as used for other platform resource deployments (e.g. [deploy a policyAssignments](./Deploying-Enterprise-Scale#create-new-policy-assignment-for-validation)). - -To successfully deploy a subscription using AzOps the following steps will be required: - -- 'Connect' AzOps to the Azure Environment, ensure that ['Pull' workflow runs successfully](./Deploying-Enterprise-Scale#validation-post-deployment-github) -- Enable the AzOps SPN for subscription creation as documented [here](#enable-service-principal-to-create-landing-zones) -- Ensure that SPN has Owner permissions at the target management group the subscription will be deployed under - -The following steps will deploy an empty subscription under the '*company-prefix*-online' management group - -1. Create a new branch 'new-landing-zone' in your AzOps Git repository and make it current - -> Git command: `git checkout -b new-landing-zone`) - -2. Copy the file [emptySubscription.json](https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/examples/landing-zones/empty-subscription/emptySubscription.json) or the example below and save it to the '*company-prefix*-online' folder in the folder structure. - -ARM template to create an empty subscription: -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "subscriptionAliasName": { - "type": "string", - "metadata": { - "description": "Provide a name for the alias. This name will also be the display name of the subscription." - } - }, - "billingAccountId": { - "type": "string", - "metadata": { - "description": "Provide the full resourceId of the MCA or the enrollment account id used for subscription creation." - } - }, - "targetManagementGroup": { - "type": "string", - "metadata": { - "description": "Provide the resourceId of the target management group to place the subscription." - } - } - }, - "resources": [ - { - "scope": "/", // routing the request to tenant root - "name": "[parameters('subscriptionAliasName')]", - "type": "Microsoft.Subscription/aliases", - "apiVersion": "2020-09-01", - "properties": { - "workLoad": "Production", - "displayName": "[parameters('subscriptionAliasName')]", - "billingScope": "[parameters('billingAccountId')]", - "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroup'))]" - } - } - ], - "outputs": {} -} -``` - -3. Create a `emptySubscription.parameters.json` file in the same folder with the parameters below and update the values appropriate. - -- `subscriptionAliasName` - Tenant wide unique alias for the subscription. Will also become the display name for the subscription. -- `billingAccountId` - Provide the full resourceId of the MCA or the enrollment account id used for subscription creation (e.g. `/providers/Microsoft.Billing/billingAccounts//enrollmentAccounts/ `main`) - -> Hint: As part of the PR validation AzOps deploys the new subscriptions and merges the changes to the `main` branch. - -5. Validate in subscription creation was successful using the Azure Portal diff --git a/docs/wiki/Deploying-ALZ-BasicSetup.md b/docs/wiki/Deploying-ALZ-BasicSetup.md index ce355eed1e..8478a3fd14 100644 --- a/docs/wiki/Deploying-ALZ-BasicSetup.md +++ b/docs/wiki/Deploying-ALZ-BasicSetup.md @@ -8,10 +8,7 @@ Please refer to [Trey Research reference implementation](https://github.com/Azur ## 1. Pre-requisites -### Required Permissions - -To provision Azure landing zone portal accelerator in your environment, **your user/service principal must have Owner permission at the Azure Active Directory Tenant root**. -Refer to these [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. ### Subscriptions @@ -49,6 +46,7 @@ On the *Azure Core setup* blade you will: - **Provide a prefix** that will be used to name your management group hierarchy **and** platform resources. - Choose between using dedicated subscriptions or a single subscription to host platform resources. +- Choose between deploying in a single region, or in two regions. **Please Note:** A dedicated platform subscriptions is in general recommended. However, some Customers have the requirement to host their platform and applications within a single subscription. This tutorial is aimed at Customers with this requirement. @@ -56,6 +54,10 @@ On the *Azure Core setup* blade you will: ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix-singlesubscription.jpg) +Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region. + +![ALZ-Secondary-Region](./media/ALZ-secondaryregion-singlesubscription.jpg) + Click **Next: Platform management, security, and governance>**. ![coreSetupTab-next](./media/ESLZ-Company-Prefix-2-singlesubscription.jpg) @@ -74,7 +76,6 @@ On the *Platform management, security, and governance* blade, you will: - Enable **Deploy Log Analytics workspace and enable monitoring for your platform and resources** to get a central [Log Analytics Workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-and-workspaces) and an [Automation Account deployed](https://learn.microsoft.com/en-us/azure/automation/automation-intro) deployed, and a set of [Azure Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) applied at the root of the Azure landing zone Management Group hierarchy to make sure Activity Logs from all your Subscriptions, and Diagnostic Logs from all your VMs and PaaS resources are sent to Log Analytics. - ![mgmtTab-enableLogs](./media/clip_image014-1-singlesubscription.jpg) - If required you can customize the retention time of your monitoring data from it's default of 30 days by using the **Log Analytics Data Retention (days)** slider. **Please note:** Increasing the retention time to more than 30 days will increase your costs. @@ -113,19 +114,11 @@ Click **Next: Platform Devops and Automation>** to configure how your Azure envi ![mgmtTab-next](./media/clip_image014asc-4-singlesubscription.jpg) -## 6. Platform DevOps and Automation - -Azure landing zone portal accelerator provides an integrated CI/CD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. The *Platform Devops and Automation* tab allows you to bootstrap your CI/CD pipeline including your Azure landing zone deployment settings. For detailed steps for setting up this configuration, refer to the [Deploy Azure landing zone portal accelerator Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article. - -**In this tutorial, your Azure landing zone deployment will be triggered using the Azure Portal experience**. +## 6. Baseline alerts and monitoring -Set **Deploy integrated CICD pipeline** to **No**. +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. -![iacTab-next](./media/clip_image-iac-1-singlesubscription.jpg) - -Click **Next: Network topology and connectivity>** to proceed with configuring your network setup. - -![iacTab-next](./media/clip_image-iac-2-singlesubscription.jpg) +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) ## 7. Network topology and connectivity @@ -160,14 +153,16 @@ On the *Network topology and connectivity* blade you will configure your core ne Set **Deploy VPN Gateway** to **Yes**: - ![networkTab-topology](./media/clip_image036b-2-singlesubscription.png) + ![networkTab-topology](./media/ActiveActive.png) - - **Deploy zone redundant or regional VPN Gateway** and **Deploy zone redundant or regional ExpressRoute Gateway**: Zone-redundant gateways are recommended and enabled by default (as per the capabilities of the Region you are deploying your hub virtual network) as they provide higher resiliency and availability. You might opt for a regional deployment depending on your availability requirements and budget. In this tutorial you will deploy a zone-redudant VPN Gateway: + - **Deploy zone redundant or regional VPN Gateway** and **Deploy zone redundant or regional ExpressRoute Gateway**: Zone-redundant gateways are recommended and enabled by default (as per the capabilities of the Region you are deploying your hub virtual network) as they provide higher resiliency and availability. You might opt for a regional deployment depending on your availability requirements and budget. In this tutorial you will deploy a zone-redundant VPN Gateway: Select **Zone redundant (recommended)**. ![networkTab-gwDeploy](./media/clip_image036b-3-singlesubscription.png) + - **Deploy VPN Gateway in Active/Active mode**: You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. In this configuration, each Azure gateway instance has a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. See [Active-active VPN gateways](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways). + - **Select the VPN Gateway SKU** and **Select the ExpressRoute Gateway VPN**: choose the right SKU based on your requirements (capabilities, throughput and availability). See [VPN Gateway SKUs](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku) and [ExpressRoute Gateway SKUs](https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gwsku) for further details on the virtual gateway's SKUs you have available in Azure. In this tutorial you will deploy a VpnGw2AZ which provides an aggregated throughput of up to 1 Gbps: ![networkTab-gwSku](./media/clip_image036b-4-singlesubscription.png) @@ -202,7 +197,7 @@ On the *Network topology and connectivity* blade you will configure your core ne - **Select Availability Zones for the Azure Firewall**: - In this tutorial you will deploy a zone-redudant Azure Firewall. + In this tutorial you will deploy a zone-redundant Azure Firewall. **Select two or more zones** to configure your Azure Firewall deployment to span multiple [Availability Zones](https://learn.microsoft.com/en-us/azure/firewall/features#availability-zones) (recommended for increased availability). @@ -218,6 +213,24 @@ On the *Network topology and connectivity* blade you will configure your core ne ![networkTab-fwSubnet](./media/clip_image036b-10-singlesubscription.png) +### Deploying networking resources in a second region + +If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability. + +The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub. + +![img](./media/clip_image080.png) + +You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall. + +![img](./media/clip_image081.png) + +For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options. + +Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well. + +Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information. + Click **Next: Identity>** once you had configured your network setup. ![networkTab-next](./media/clip_image036b-13-singlesubscription.png) @@ -240,21 +253,30 @@ Click **Next: Landing Zone configuration>** to continue with your deployment. ## 9. Landing zones configuration -It is possible to bring in N number of existing subscriptions that will be bootstrapped as landing zones, governed by Azure Policy: +In the top section you can **select** from a set of **recommended Azure policies** which ones you want to apply to secure and govern your Landing Zones. All landing zone Azure Policies are enabled by default (recommended) but are fully customizable. + +- **Please note:** Landing zone Azure Policies can be assigned at any time. + + Any Azure Policies you selected will be assigned to the [Landing Zones Management Group](./How-Enterprise-Scale-Works#enterprise-scale-management-group-structure) under the root of your Enterprise Scale Management Group hierarchy. See [landing zone Azure's Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) for further details on the configurable set of Azure Policies. + + As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Network Protection. For connected Landing Zones (*Corp* Landing Zones), you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. + + **In this tutorial, all recommended Azure Policies are enabled.** + + ![lzTab-policies](./media/clip_image037-4-singlesubscription.jpg) + +In the bottom two sections you can choose to bring in N number of existing subscriptions that will be bootstrapped as landing zones, governed by Azure Policy: + -![lzTab-intro](./media/clip_image037-1-singlesubscription.jpg) - **Select the subscriptions you want to move to corp management group:** Corp Landing Zones are meant to host workloads that require connectivity to other resources within the corporate network via the Hub in the Platform Subscription. -For Corp Landing Zones its virtual network can be connected (recommended) to the hub virtual network using virtual network peering, enabling access to your corporate network. Please note you will need to provide a non-overlapping private IP address space to be assigned to each Landing Zone. See [Plan for IP Addressing](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further recommendations. Also, if you deployed and enabled Azure Firewall as DNS proxy, [DNS settings on these VNets will be configured](https://learn.microsoft.com/en-us/azure/firewall/dns-settings#configure-virtual-network-dns-servers) with the Azure Firewall private IP address. +For Corp Landing Zones its virtual network can be connected (recommended) to the hub virtual network using virtual network peering, enabling access to your corporate network. Please note you will need to provide a non-overlapping private IP address space to be assigned to each Landing Zone. See [Plan for IP Addressing](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further recommendations. Also, if you deployed and enabled Azure Firewall as DNS proxy, [DNS settings on these VNets will be configured](https://learn.microsoft.com/en-us/azure/firewall/dns-settings#configure-virtual-network-dns-servers) with the Azure Firewall private IP address. In this section you can also select which Azure Policies you would like to enable for the corp management group specifically. In this tutorial, a "Corp" Landing Zone is provisioned using an existing (empty) subscription and connected to the Hub virtual network previously configured. Please note, additional subscriptions can be added. - Set **Connect corp landing zones to the connectivity hub (optional)** to **Yes**, then **select** an empty subscription (*corp-subscription*) and assign an address space: - - ![lzTab-corpLZs](./media/clip_image037-2-singlesubscription.jpg) - + - **Select the subscriptions you want to move to online management group**: Online Landing Zones are meant to host workloads that do not require connectivity/hybrid connectivity with the corporate network or that not even require a virtual network. @@ -264,27 +286,26 @@ For Corp Landing Zones its virtual network can be connected (recommended) to the ![lzTab-onlineLZs](./media/clip_image037-3-singlesubscription.jpg) -- Finally, you can **select** from a set of **recommended Azure policies** which ones you want to apply to secure and govern your Landing Zones. All landing zone Azure Policies are enabled by default (recommended) but are fully customizable. -- **Please note:** Landing zone Azure Policies can be assigned at any time. +Click **Next: Decommissioned/Sandbox>** to continue with your deployment. - Any Azure Policies you selected will be assigned to the [Landing Zones Management Group](./How-Enterprise-Scale-Works#enterprise-scale-management-group-structure) under the root of your Enterprise Scale Management Group hierarchy. See [landing zone Azure's Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) for further details on the configurable set of Azure Policies. +![lzTab-next](./media/clip_image037-6-singlesubscription.jpg) - As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Network Protection. For connected Landing Zones (*Corp* Landing Zones), you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. +## 10. Decommissioned/Sandbox - **In this tutorial, all recommended Azure Policies are enabled.** +You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. - ![lzTab-policies](./media/clip_image037-4-singlesubscription.jpg) +![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) Click **Next: Review + Create>** to complete your deployment. ![lzTab-next](./media/clip_image037-5-singlesubscription.jpg) -## 10. Review + create +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039-singlesubscription.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator deployment finishes, you can grant your application teams/business units access to their respective landing zones. Whenever there’s a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements. diff --git a/docs/wiki/Deploying-ALZ-CustomerUsage.md b/docs/wiki/Deploying-ALZ-CustomerUsage.md index 9d51eafd11..c908c4aa83 100644 --- a/docs/wiki/Deploying-ALZ-CustomerUsage.md +++ b/docs/wiki/Deploying-ALZ-CustomerUsage.md @@ -26,7 +26,21 @@ The following are the unique ID's (also known as PIDs) used in each of the modul | Telemetry | PID | | ------------------------------------------------------------------------- | ------------------------------------ | | ALZ Accelerator/ESLZ ARM Deployment | 35c42e79-00b3-42eb-a9ac-e542953efb3c | -| ALZ Accelerator/ESLZ ARM Deployment - Zero Trust Networking - Phase 1 | f09f64b8-5cb3-4b16-900d-6ba1df8a597e | +| ALZ Accelerator/ESLZ ARM Deployment - Single Platform Subscription | b35a8452-8a67-49f9-b1a9-1aee3c1a13c2 | +| ALZ Accelerator/ESLZ ARM Deployment - Multiple Platform Subscriptions | 725aea60-cfaa-4a0c-9fe7-71b07f53803d | +| ALZ Accelerator/ESLZ ARM Deployment - No Networking | 35c1ce02-165f-43b2-8d3a-fc68a04b802a | +| ALZ Accelerator/ESLZ ARM Deployment - Hub & Spoke Networking | f7fcc714-0c0d-4011-87bf-319810bbb03d | +| ALZ Accelerator/ESLZ ARM Deployment - Virtual WAN Networking | 0263335d-f570-470c-8389-aa6c916e5008 | +| ALZ Accelerator/ESLZ ARM Deployment - Zero Trust Networking - Phase 1 | f09f64b8-5cb3-4b16-900d-6ba1df8a597e | +| ALZ Accelerator/ESLZ ARM Deployment - Azure Monitor baseline alerts | 5f0e5693-3998-4ae2-8115-ee96e38dac62 | + +## External modules telemetry tracking + +In addition to the above, there are a number of modules in external repos that are used in the ALZ ARM Template. Telemetry tracking for these modules is enabled or disabled via the same radio button toggle as described above, i.e. if telemetry tracking is enabled all the different PIDs will be deployed, conversely if it's disabled no PIDs will be deployed. The table below lists the different modules and link to PID documentation for same. + +| Module Name | PID documentation | +| ------------------------------------------------------------------------- | ------------------------------------ | +| [Azure Monitor Baseline Alerts for ALZ](https://aka.ms/amba) | [Telemetry](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/Telemetry)| ### What is Zero Trust Network Telemetry diff --git a/docs/wiki/Deploying-ALZ-Foundation.md b/docs/wiki/Deploying-ALZ-Foundation.md index d43ce998ed..42b1331197 100644 --- a/docs/wiki/Deploying-ALZ-Foundation.md +++ b/docs/wiki/Deploying-ALZ-Foundation.md @@ -4,9 +4,9 @@ This section will describe how to deploy an the Azure landing zone portal accele ## 1. Pre-requisites -To provision your Azure landing zones environment with the deployment experience in the Azure portal, your user/service principal must have Owner permission at the Azure Active Directory Tenant root. See the following [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. -### Optional pre-requsites +### Optional pre-requisites The deployment experience in Azure portal allows you to bring in existing (preferably empty) subscriptions dedicated for platform management. It also allows you to bring existing subscriptions that can be used as the initial landing zones for your applications. @@ -44,11 +44,15 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -## 6. Platform DevOps and Automation -Azure landing zone portal accelerator provides an integrated CICD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article. +## 6. Baseline alerts and monitoring + +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) ## 7. Network topology and connectivity + On the *Network topology and connectivity* blade, you can configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. *For this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) since we don't require network connectivity to on-premises or other networking services such as virtual network gateways or Azure Firewall, select "No" on the Deploy network topology option* @@ -56,24 +60,31 @@ On the *Network topology and connectivity* blade, you can configure the core net ![Network](https://user-images.githubusercontent.com/79409563/137819649-d1bb97eb-fda7-446a-b9cd-9f447306d3f6.jpg) ## 8. Identity -On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned. -*For this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) since we don't require an identitiy subscription, we will select the "No" option.* +On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned. + +*For this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) since we don't require an identity subscription, we will select the "No" option.* ![Identity](https://user-images.githubusercontent.com/79409563/137819658-2efaed58-14f0-46f6-81f5-ff1e6859e9d3.jpg) ## 9. Landing zone configuration -You can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You can indicate which subscriptions you would like to be bootstrapped as landing zones for corp connectivity and which ones for online connectivity only. Please note that for this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) we only require *online* landing zones. Finally, you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. +In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. In the bottom two sections you can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You can indicate which subscriptions you would like to be bootstrapped as landing zones for corp connectivity and which ones for online connectivity only. Please note that for this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) we only require *online* landing zones. + +![Landingzone](./media/alz-portal-landingzones.jpg) + +## 10. Decommissioned/Sandbox + +You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. -![Landingzone](./media/clip_image014lzc.jpg) +![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) -## 10. Review + create +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator has been deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there is a need for a new landing zone, you can place them into the Online management group. \ No newline at end of file diff --git a/docs/wiki/Deploying-ALZ-HubAndSpoke.md b/docs/wiki/Deploying-ALZ-HubAndSpoke.md index 16e569bc1c..c936f4d1d2 100644 --- a/docs/wiki/Deploying-ALZ-HubAndSpoke.md +++ b/docs/wiki/Deploying-ALZ-HubAndSpoke.md @@ -4,9 +4,9 @@ This section will describe how to deploy the Azure landing zone portal accelerat ## 1. Pre-requisites -To provision your Azure environment with the deployment experience in the Azure portal, your user/service principal must have Owner permission at the Azure Active Directory Tenant root. See the following [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. -### Optional pre-requsites +### Optional pre-requisites The deployment experience in Azure portal allows you to bring in existing (preferably empty) subscriptions dedicated for platform management, connectivity and identity. It also allows you to bring existing subscriptions that can be used as the initial landing zones for your applications. @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG) +Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region. + +![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg) + ## 5. Platform management, security, and governance On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and configuration are continuously compliant as your deployments scales with business demand. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. @@ -44,10 +48,11 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -## 6. Platform DevOps and Automation +## 6. Baseline alerts and monitoring -Azure landing zone portal accelerator provides an integrated CICD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article. +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) ## 7. Network topology and connectivity On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must: @@ -73,28 +78,57 @@ Depending on your requirements, you may choose to deploy additional network infr ![img](./media/clip_image036b.png) +### Deploying networking resources in a second region + +If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability. + +The deployment will use the same deployment type as the primary region - either two hub and spokes with Azure firewall, two hub and spokes with your own-third party NVA, or an additional virtual WAN hub. + +![img](./media/clip_image080.png) + +You will need to specify the additional region to deploy to, and then you will be given the option to deploy and configure your gateways and (if applicable) your Azure firewall. + +![img](./media/clip_image081.png) + +For best results, use similar inputs to make sure that your regional deployments can both support the same architecture. However, if you want to forgo deploying a gateway or firewall in the second region, you can select the appropriate options. + +Once deployed, your regional hubs will be peered together and have routing tables assigned to the firewall subnets to handle routing to each other. You can add routes to this route table later, as you add spoke networks. If you have deployed DDoS protection in the primary region, it will be applied to the secondary region as well. + +Your Private DNS zones will be deployed in a resource group linked to your primary region, and will be assigned to both regions. See [Private Link and DNS integration at scale](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) for more information. ## 8. Identity -On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. +On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. ![img](./media/clip_image036c.png) +In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be peered to the hub in your secondary region. + +![img](./media/clip_image085.png) + ## 9. Landing zone configuration -You can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You indicate which subscriptions will be bootstrapped as landing zones with a virtual network deployed and connected to the hub virtual network for corp connectivity. Virtual networks on these subscriptions will be connected to the hub virtual network using VNet peering, and if you deployed and enabled Azure Firewall as DNS proxy, DNS settings on these VNets will be configured with the Azure Firewall private IP address. +In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. + +In the bottom two sections you can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You indicate which subscriptions will be bootstrapped as landing zones with a virtual network deployed and connected to the hub virtual network for corp connectivity. Virtual networks on these subscriptions will be connected to the hub virtual network using VNet peering, and if you deployed and enabled Azure Firewall as DNS proxy, DNS settings on these VNets will be configured with the Azure Firewall private IP address. + +You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. + +As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator will allow you to protect your landing zones with a DDoS Network Protection plan, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. + +![Landing zone configuration](./media/clip_image037.jpg) -You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. Finally, you can select which policy you want to assign broadly to all of your landing zones. +## 10. Decommissioned/Sandbox -As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator will allow you to protect your landing zones with a DDoS Network Protection plan, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. +You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. -![Graphical user interface, application Description automatically generated](./media/clip_image037.jpg) +![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) -## 10. Review + create +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator has deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there’s a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements. diff --git a/docs/wiki/Deploying-ALZ-Platform-DevOps.md b/docs/wiki/Deploying-ALZ-Platform-DevOps.md index 13a2304344..07a20ee438 100644 --- a/docs/wiki/Deploying-ALZ-Platform-DevOps.md +++ b/docs/wiki/Deploying-ALZ-Platform-DevOps.md @@ -1,288 +1,11 @@ ## Azure landing zone portal deployment for Platform DevOps and Automation -### In this section: +### Important Notice: -- [Enable deployment of Landing Zones with Infrastructure as Code using Github and Github Actions](#reference-implementation-deployment) -- [Validation post deployment (GitHub)](#validation-post-deployment-github) -- [Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions)](#operating-the-azure-platform-using-azops-infrastructure-as-code-with-github-actions) +As of May 2023, the Azure Portal experience (accelerator) of the ALZ Reference Implementation (RI), will not include the "Platform DevOps and automation" section anymore. ---- +Consequently, users interested in Platform DevOps and Automation, are encouraged to use either the respective [ALZ Bicep Modules](https://github.com/Azure/ALZ-Bicep), or the [ALZ Terraform Module](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale). -### Enable deployment of Landing Zones with Infrastructure as Code using Github and Github Actions +> [AzOps](https://github.com/Azure/AzOps) can still be used, if desired, but please see the [AzOps](https://github.com/Azure/AzOps) repo for setup and configuration instructions as well as any support requirements via the repos issues. -You can choose to bootstrap your CI/CD pipeline (GitHub with GitHub actions). Provide your GitHub user/org name, the preferred name of the GitHub repository that is to be created, as well as the PA token that the deployment will use to create a new repository and discover the Enterprise-Scale deployment ARM templates and merge them into your main branch. - -![Graphical user interface, text, application Description automatically generated](./media/clip_image015.png) - -1.1.1 To create a PA token, follow the instructions here: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token - -1.1.2 Ensure the PA token has the following permissions: - -![Graphical user interface, text, application Description automatically generated](./media/github_developer_createPAT.png) - -> For Microsoft employees who are enrolled into the Azure GitHub organization, you must also authorize the PA token to this Org! - -![Graphical user interface, text, application, email Description automatically generated](./media/github_developer_enablesso.png) - -![Graphical user interface, text, application, email Description automatically generated](./media/github_developer_disablesso.png) - -1.2 Lastly, a Service Principal is required for Git to authenticate to – and be authorized to your Azure tenant. You can either use an existing Service Principal or create a new one. The Service Principal will be granted *Owner* permission on the top level Management Group that gets created. - -1.2.1 If using an existing Service Principal, ensure you have the *client secret* as this must be provided as the *Password* for the service principal and confirm it has the right level of permission. - -![Graphical user interface, text, application Description automatically generated](./media/clip_image020.jpg) - -1.2.2 If creating a new Service Principal, select "Create New" and click on Make selection” and the portal will open a new blade for app registration - -![img](./media/clip_image022.png) - - ![img](./media/clip_image024.png) - -Once the App has been registered, you must explicitly create a new secret. - - ![img](./media/clip_image026.png) - - ![img](./media/clip_image028.jpg) - -Make sure to note down the “Value” of the new client secret. - ![img](./media/clip_image030.jpg) - -The default API Permissions for this App are “User.Read”, as depicted below: - -![img](./media/clip_image032.jpg) - - After copying the secret, go to “Enterprise-Scale Landing Zones” (in the upper left) to return to the deployment. - - ![img](./media/clip_image034.png) - - At this point, paste the client secret value of the newly created client secret from a few step above into the Password field. - - ![Graphical user interface, application Description automatically generated](./media/clip_image035.png) - -### Validation post deployment (GitHub) - -Once Enterprise-Scale has deployed and you enabled the CI/CD bootstrap, you should validate in your GitHub account that: - -* A new repository has been created, with the name provided during setup. - -![Graphical user interface, text, application Description automatically generated](./media/clip_image040.png) - -* 4 Secrets are created into this GitHub repository. - -ARM_CLIENT_ID = Service Principal - -ARM_CLIENT_SECRET = Service Principal Client Secret created in the Tenant -ARM_SUBSCRIPTION_ID = The management subscription ID created in the Tenant -ARM_TENANT_ID = Tenant ID of the Azure Tenant that was used to create ESLZ - -![img](./media/clip_image042.jpg) - -* A Pull Request is either in progress or has completed and automatically merged into the main branch. - -![img](./media/clip_image044.png) - -* The Azure hierarchy that got created using ARM templates as part of the Enterprise-Scale setup, such as management groups, subscription organization as well as policy definitions, policy assignments and role assignments are hydrated and organized into Git: - -![Graphical user interface Description automatically generated with medium confidence](./media/clip_image046.jpg) - - -![Graphical user interface, application Description automatically generated](./media/clip_image048.jpg) - -* In each folder, you will find the ARM templates that were deployed at the scopes during the Enterprise-Scale setup. E.g., on the intermediate root group, you will find all policy definitions, and depending on the selection you made during the deployment, you will find resource templates in the platform subscriptions. Users can – whenever they are ready, start using these templates and bring their own templates to manage the platform using ARM templates and infrastructure as code. - -![Graphical user interface, application Description automatically generated](./media/clip_image050.jpg) - -## Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions) - -When you have deployed Enterprise-Scale with GitHub integration, you will have a ready-to-go repository with integrated GitHub Actions containing all the ARM templates that were used during deployment, organized in the following way: - -* Management group tree structure represented as folders in Git - -* Subscriptions represented as folders in their respective management group folder in Git - -* Resource Groups represented as folders in their respective subscription folder in Git - -* Policy Definitions, Policy Set Definitions, Role Definitions, and Role Assignments as composite ARM resource templates partitioned at the folder representing the respective scope in Azure (management group, subscription) - -* Resources (e.g., virtual networks, Log Analytics workspace, Automation account etc.) represented as composite ARM resource templates into their respective resource group (folder) - -You can edit/update the existing ARM templates in your repository and GitHub actions will push (deploy) to the respective Azure scope. You can also author and bring your own ARM templates and deploy them to the respective Azure scope. - -The following section will demonstrate how one can operationalize the Enterprise-Scale platform using ARM templates, via the GitHub repository that got created using AzOps (GitHub Actions). - -### What is AzOps? - -AzOps is an opinionated CI/CD pipeline to operationalize the Azure *platform* and *landing zones* that enables organizations to focus on the ARM template development, and not having to deal with multiple deployment scripts targeting different Azure scopes. The organization and folder structure in Git is dynamically representing the Azure graph (management groups (parent, child relationships), and subscription organization), so the platform operators can easily determine at which *scope* they want to invoke the ARM template deployment by simply making a PR with the ARM template(s) and parameter files (optionally), and AzOps will invoke the deployment accordingly. - -Also, when there’s a new *scope* (management groups, subscriptions, and resource groups) being created, either explicitly via the pipeline – and also out of band (via Portal, CLI, PS etc.), AzOps will discover these and represent them correctly back into Git. - -### Create new Policy Assignment for validation - -Enterprise-Scale with its Policy Driven Governance principle relies heavily on Azure Policy to determine the goal state of the overall platform. As an example, this exercise will demonstrate how a developer can make a new policy assignment at the “Online” landing zone management group scope. - -1. In GitHub, navigate to your repository and click on the ‘azops’ folder. From here, navigate to your -online folder which represents the management group for all your online landing zones. - -![img](./media/clip_image052.jpg) - -2. Click on ‘Add file’, and ‘Create new file’. - -3. Name the file ‘locationAssignment.json’ - -4. Copy and paste the following ARM template json - -``` json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentEnforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "DoNotEnforce", - "metadata": { - "description": "Input will determine if the policyAssignment should be enforced or not." - } - }, - "policyDefinitionId": { - "type": "string", - "defaultValue": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "metadata": { - "description": "Provide the policyDefinition resourceId" - } - }, - "policyAssignmentName": { - "type": "string", - "defaultValue": "AllowedLocations" - }, - "policyDescription": { - "type": "string", - "defaultValue": "Policy to ringfence Azure regions." - }, - "listOfAllowedLocations": { - "type": "array", - "defaultValue": [ - "westeurope", - "northeurope" - ] - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[parameters('policyAssignmentName')]", - "identity": { - "type": "SystemAssigned" - }, - "location": "[deployment().location]", - "properties": { - "description": "[parameters('policyDescription')]", - "displayName": "[parameters('policyDescription')]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "enforcementMode": "[parameters('policyAssignmentEnforcementMode')]", - "parameters": { - "listOfAllowedLocations": { - "value": "[parameters('listOfAllowedLocations')]" - } - } - } - } - ] -} -``` - -5. Examine the file and note that we are using default values for the parameters. You could modify these, or you could also provide a locationAssignment.parameters.json file to provide the parameters. - -6. On the ‘Commit new file’ option, select ‘Create a new branch for this commit and start a pull request’, and give it a name. - -![Graphical user interface, text, application, email Description automatically generated](./media/ESLZ-location-assignment-policy.JPG) - -7. Click ‘Propose new file' and on the next page, click 'Create Pull Request." A new Pull Request is being created which will trigger the Push workflow. Go to Actions to monitor the process. - -![Graphical user interface, text, application, chat or text message Description automatically generated](./media/clip_image056.jpg) - -8. Once completed, the pull request should automatically merge. - -9. In Azure portal, you can navigate to the -online management group and verify that the deployment resource got created and deployed successfully. Each deployment invoked via AzOps will have an ‘AzOps’ prefix. - -![Graphical user interface, text, application, email Description automatically generated](./media/clip_image058.jpg) - -10. Navigate to ‘Policies’ on the -online management group and verify that there’s a new assignment called ‘Policy to ring-fence Azure regions’. - -![Graphical user interface, text, application, email Description automatically generated](./media/clip_image060.jpg) - -11. Click on ‘Edit assignment’ to verify that the Policy is not being enforced but will only scan for compliance and validate resources per the policy rule defined in the policy definition. - -![Text Description automatically generated with low confidence](./media/clip_image062.jpg) - -Once the policy compliance scan has completed, you will get a compliance result for the policy you assigned to validate the effect is working as intended, before going to the next step to update the enforcement mode. I.e., this policy will prevent resources being created outside of the allowed locations specified. - -You can now merge the pull request and delete the branch. - -### Update a Policy Assignment to enforce - -In this exercise, we will modify the existing policy assignment to ensure the policy effect will be enforced. - -1. Navigate the locationAssignment.json file you placed into the -online folder, representing the online landing zone. - -2. Click on ‘Edit this file’ ![img](./media/clip_image063.png) - -3. Change the parameter “policyAssignmentEnforcementMode” default value to be ‘Default’. - -![Graphical user interface, text, application, email Description automatically generated](./media/clip_image065.jpg) - -4. On the ‘Commit changes’ dialogue box, select ‘Create a new branch for this commit and start a pull request’, and provide a branch name. Click ‘Propose changes’ and create the pull request - -![Graphical user interface, text, application, email Description automatically generated](./media/ESLZ-Update-location-assignment-policy.JPG) - -This will now start the AzOps push workflow and deploy the template with the updated property so that the policy effect will be enforced (in this case, deny resource creation outside of the ringfenced Azure regions). - -Once the job has completed, you can revisit the policy in Azure portal and see that the policy enforcement is set to ‘Enabled’. - -![Graphical user interface, text, application, email Description automatically generated](./media/clip_image069.jpg) - -You can now merge the pull request and delete the branch. - -### Create new Role Assignment on a landing zone - -To grant a user, a group, or a service principal access to a landing zone (subscription), you can use the following ARM template where you provide the principalId (object id of the user, group, or service principal) as input to the parameter, and place the template into the subscription folder into your landing zone management group(s). - -Replace Provide-Principal-Id with Id of the principal. - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "principalId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the objectId of the principal (user, group, SPN, managed identity etc.) that will be granted RBAC at scope." - } - }, - "roleDefinitionId": { - "type": "string", - "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "metadata": { - "description": "Provide the id of the built-in roleDefinition. Default is 'Contributor'." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2017-09-01", - "name": "[guid(parameters('principalId'))]", - "properties": { - "principalId": "[parameters('principalId')]", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]" - } - } - ] -} -``` +--- \ No newline at end of file diff --git a/docs/wiki/Deploying-ALZ-Pre-requisites.md b/docs/wiki/Deploying-ALZ-Pre-requisites.md index ca23ac68e0..cba2e19a62 100644 --- a/docs/wiki/Deploying-ALZ-Pre-requisites.md +++ b/docs/wiki/Deploying-ALZ-Pre-requisites.md @@ -6,7 +6,7 @@ Enterprise-Scale can bootstrap an entire Azure tenant without any infrastructure This requires the following: -* A user that is Global Admin in the Azure Active Directory +* A user that is Global Admin in the Microsoft Entra ID * Elevation of privileges of this user which grants him/her the “User Access Administrator” permission at the tenant root scope @@ -16,7 +16,7 @@ This requires the following: 1.1 Sign into the Azure portal as a user being Global Administrator -1.2 Open Azure Active Directory +1.2 Open Microsoft Entra ID 1.3 Under *Manage*, select *Properties @@ -54,3 +54,12 @@ New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id ``` > Please note: sometimes it can take up to 15 minutes for permission to propagate at tenant root scope. It is highly recommended that you log out and log back in to refresh the token before you proceed with the deployment.* + +### Azure Monitor Baseline Alerts prerequisites + +The Azure Monitor Baseline Alerts are deployed as part of the Enterprise-Scale deployment, and they require the following: + +1. For the policies to work, the following Azure resource providers, normally registered by default, must be registered on all subscriptions in scope: + - Microsoft.AlertsManagement + - Microsoft.Insights +Please see [here](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) for details on how to register a resource provider should you need to do so. \ No newline at end of file diff --git a/docs/wiki/Deploying-ALZ-VWAN.md b/docs/wiki/Deploying-ALZ-VWAN.md index 422a904031..5f57b63d2c 100644 --- a/docs/wiki/Deploying-ALZ-VWAN.md +++ b/docs/wiki/Deploying-ALZ-VWAN.md @@ -4,9 +4,9 @@ This section will describe how to deploy Azure landing zone portal accelerator w ## 1. Pre-requisites -To provision your Azure environment with the deployment experience in the Azure portal, your user/service principal must have Owner permission at the Azure Active Directory Tenant root. See the following [instructions](./Deploying-Enterprise-Scale-Pre-requisites) on how to grant access before you proceed. +There are a number of prerequisites which need to be met before you can provision an Azure landing zones environment via the deployment experience in the Azure portal. See the following [instructions](./Deploying-ALZ-Pre-requisites.md) on how to grant access before you proceed. -### Optional pre-requsites +### Optional pre-requisites The deployment experience in Azure portal allows you to bring in existing (preferably empty) subscriptions dedicated for platform management, connectivity and identity. It also allows you to bring existing subscriptions that can be used as the initial landing zones for your applications. @@ -34,6 +34,10 @@ Provide a prefix that will be used to create the management group hierarchy and ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG) +Next, select if you wish to **Deploy in a secondary region**. If this is left as *Yes*, then you will receive additional inputs later in the process to deploy resources in a secondary region. + +![ALZ-Secondary-Region](./media/ALZ-secondaryregion-multisubscription.jpg) + ## 5. Platform management, security, and governance On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and more are continuously compliant as your deployments scales and grows. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. @@ -44,14 +48,17 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -## 6. Platform DevOps and Automation +## 6. Baseline alerts and monitoring -Azure landing zone portal accelerator provides an integrated CICD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article. +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) ## 7. Network topology and connectivity + On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. For this scenario: -* Select "Virtual WAN (Microsoft managed)") as the network topology +* Select "Virtual WAN (Microsoft managed)" as the network topology * Provide a dedicated (empty) subscription that will be used to host the requisite networking infrastructure. * Provide the address space to be assigned to the vWAN hub * Select an Azure region where the first vWAN hub will be created @@ -66,27 +73,50 @@ Depending on your requirements, you may choose to deploy additional network infr ![vwan](./media/clip_image078.jpg) +### Deploying networking resources in a second region + +If you selected **Deploy in a secondary region** in the Core steps, you will also configure a secondary region for networking platform resource in this blade. This secondary platform network deployment prepares you you to take advantage of capacity in multiple regions, and for recovery or multi-region high availability. + +The deployment will deploy an additional virtual hub in the secondary region that you specify. + +You will need to provide the configuration for the virtual hub, same as the primary region. + +![img](./media/clip_image084.png) + ## 8. Identity -On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. + +On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. ![img](./media/clip_image036c.png) +In addition, you selected **Deploy in a secondary region** and deployed a network topology, you also have the option to deploy an additional Identity virtual network in that region. It will be connected to the hub in your secondary region. + +![img](./media/clip_image085.png) + ## 9. Landing zone configuration -You can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You indicate which subscriptions will be bootstrapped as landing zones with a virtual network deployed and connected to the hub virtual network for corp connectivity. Virtual networks on these subscriptions will be connected to the hub virtual network using VNet peering, and if you deployed and enabled Azure Firewall as DNS proxy, DNS settings on these VNets will be configured with the Azure Firewall private IP address. +In the top section you can select which policies you want to assign broadly to all of your application landing zones. You also have the ability to set policies to *Audit only* which will assign the policies for Audit. -You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. Finally, you can select which policy you want to assign broadly to all of your landing zones. +In the bottom two sections you can optionally bring in N number of subscriptions that will be bootstrapped as landing zones, governed by Azure Policy. You indicate which subscriptions will be bootstrapped as landing zones with a virtual network deployed and connected to the hub virtual network for corp connectivity. Virtual networks on these subscriptions will be connected to the hub virtual network using VNet peering, and if you deployed and enabled Azure Firewall as DNS proxy, DNS settings on these VNets will be configured with the Azure Firewall private IP address. -As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Network Protection, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. +You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. + +As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Network Protection, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. ![Graphical user interface, application Description automatically generated](./media/clip_image037.jpg) -## 10. Review + create +## 10. Decommissioned/Sandbox + +You can optionally choose to change whether default policy assignments for Decommissioned and Sandbox management groups are enabled, set to audit only or disabled. + +![Decommissioned and Sandbox options](./media/alz-portal-decommsandbox.jpg) + +## 11. Review + create *Review + Create* page will validate your permission and configuration before you can click deploy. Once it has been validated successfully, you can click *Create* ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -## 11. Post deployment activities +## 12. Post deployment activities Once Azure landing zone portal accelerator is deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there’s a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements. diff --git a/docs/wiki/Deploying-ALZ-ZTNetwork.md b/docs/wiki/Deploying-ALZ-ZTNetwork.md new file mode 100644 index 0000000000..7638d04fd6 --- /dev/null +++ b/docs/wiki/Deploying-ALZ-ZTNetwork.md @@ -0,0 +1,78 @@ +## Azure landing zone portal accelerator deployment with Zero Trust network principles + +This guide will review how to deploy the Azure landing zone portal accelerator with a jump start on Zero Trust Networking Principles for Azure landing zones. If you are looking for a complete walkthrough of the Azure landing zones portal accelerator select one of the deployment guides in the wiki navigation on the right of this page under "Deploying Enterprise-Scale". For more information on Zero Trust security model and principles visit [What is Zero Trust?](https://learn.microsoft.com/security/zero-trust/zero-trust-overview) in the [Zero Trust Guidance Center](https://learn.microsoft.com/security/zero-trust/). + +Let's review the [Zero Trust aligned networking](https://learn.microsoft.com/security/zero-trust/deploy/networks) configurations in the [Azure landing zone portal accelerator](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#azure-landing-zone-portal-accelerator). + +## Platform management, security, and governance + +On the "Platform management, security, and governance" section of the Azure landing zone portal accelerator keep the following defaults: + +- Enable Defender for Cloud for DNS + +![Enable Defender for Cloud for DNS](./media/zt7.png) + +## Deploy networking topology and Connectivity + +On the "Network Topology and Connectivity" section of the Azure landing zone portal accelerator select "Hub and spoke with Azure Firewall" radio button. Next, Select the platform connectivity subscription from the drop down. Confirm or update the address space and first networking hub region, in this case East US. + +![Zero Trust Network Topology](./media/zt1.png) + +Hub and spoke is the primary topology option for Zero Trust Organizations. These deployments should have traffic coming in to Azure, going between spokes, or leaving Azure be inspected and only permitted when explicitly allowed. Spoke networks should be segmented into smaller islands with their own ingress and egress controls in minimize "blast radius". + +## Enable Threat protection + +In the next section you will want to leave the defaults to "Enable DDoS Network Protection" and "Deploy Azure Firewall" as these are pivotal requirements for threat protection. It's also recommended to select at least two availability zones for Azure Firewall, but ideally all 3, if the region has availability zone support. + +![Zero Trust enable Threat protection](./media/zt2.png) + +These selections help to segment and enforce external and internal boundaries. + +## Protect the Identity subscription + +On the "Identity" section, ensure the default (Yes) is selected on the following: + +- Prevent inbound management ports from internet +- Ensure subnets are associated with NSG +- Prevent usage of public IP +- Create virtual network and connect to the connectivity hub + +![Zero Trust protect the identity subscription](./media/zt3.png) + +Here we are enforcing network protection on resources in the identity subscription (like domain controllers) and what protocols can reach them with Network Security Groups. The current deployment enforces NSGs, but does not have specific rules as these would be managed post-deployment. + +In addition, we are preventing the deployment of public IPs to the identity subscription. Outbound traffic should be routed through the Azure Firewall deployed in the previous activities, and inbound traffic should be filtered in from the same device. To support this, the virtual network needs to peered to the hub. + +When you later go to subnet the vnet to plan for deployment, you will also deploy the necessary route tables. + +## Secure Application landing zones + +On the "landing zones configuration" section ensure the default (Yes) is selected on: + +"Enable DDoS Network Protection" + +"Prevent usage of Public Endpoints for Azure PaaS services in the corp connected landing zones" + +![Zero Trust enable secure application landing zones](./media/zt4.png) + +"Ensure encryption in transit is enabled for PaaS services" + +![Zero Trust enable secure application landing zones](./media/zt8.png) + +"Ensure HTTPS Ingress is enforced in Kubernetes clusters" + +![Zero Trust enable secure application landing zones](./media/zt9.png) + +"PRevent inbound management ports from the internet" + +"Ensure subnets are associated with NSG" + +"Prevent IP forwarding" + +![Zero Trust enable secure application landing zones](./media/zt5-2.png) + +"Ensure secure connections (HTTPS) to storage accounts" + +![Zero Trust enable secure application landing zones](./media/zt6.png) + +These configurations ensure that the spokes in your topology that are hosting applications start following zero trust networking principles and practices to enhance and improve their security posture. diff --git a/docs/wiki/Deploying-ALZ.md b/docs/wiki/Deploying-ALZ.md index d3d0e64aa5..ab5361f20c 100644 --- a/docs/wiki/Deploying-ALZ.md +++ b/docs/wiki/Deploying-ALZ.md @@ -2,9 +2,7 @@ - [Pre-requisites](#pre-requisites) - [Reference implementation deployment](#reference-implementation-deployment) -- [Validation post deployment (GitHub)](#validation-post-deployment-github) - [Post deployment activities](#post-deployment-activities) -- [Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions)](#operating-the-azure-platform-using-azops-infrastructure-as-code-with-github-actions) --- Azure landing zone portal accelerator can be deployed both from the Azure portal directly, or from [GitHub](https://github.com/Azure/Enterprise-Scale#deploying-enterprise-scale-architecture-in-your-own-environment) @@ -19,7 +17,7 @@ Azure landing zone portal accelerator can bootstrap an entire Azure tenant witho This requires the following: -* A user that is Global Admin in the Azure Active Directory +* A user that is Global Admin in the Microsoft Entra ID * Elevation of privileges of this user which grants him/her the “User Access Administrator” permission at the tenant root scope @@ -29,7 +27,7 @@ This requires the following: 1.1 Sign into the Azure portal as a user being Global Administrator -1.2 Open Azure Active Directory +1.2 Open Microsoft Entra ID 1.3 Under *Manage*, select *Properties @@ -86,6 +84,12 @@ Provide a prefix that will be used to create the management group hierarchy and ![ESLZ-Company-Prefix](./media/ESLZ-Company-Prefix.JPG) +## Baseline alerts and monitoring + +On the *Baseline alerts and monitoring* blade, you can configure automated alert configuration for the different scopes in your Azure landing zone implementation. Enabling the different baseline alerts will assign the relevant initiative to the corresponding management group. If you enable the "Deploy one or more Azure Monitor Baseline Alerts" option, you **must** provide an email address to get email notifications from Azure Monitor for the deployment to proceed. + +![baseline alerts and monitoring](./media/alz-portal-baselinealerts.jpg) + ### Platform management, security, and governance On the *Platform management, security, and governance* blade, you will configure the core components to enable platform monitoring and security. The options you enable will also be enforced using Azure Policy to ensure resources, landing zones, and more are continuously compliant as your deployments scales and grows. To enable this, you must provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. @@ -96,58 +100,6 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu ![Azure Security Center Email Contact](./media/clip_image014asc.jpg) -### Platform DevOps and Automation - -You can choose to bootstrap your CI/CD pipeline (GitHub with GitHub actions). Provide your GitHub user/org name, the preferred name of the GitHub repository that is to be created, as well as the PA token that the deployment will use to create a new repository and discover the Azure landing zone deployment ARM templates and merge them into your main branch. - -![Graphical user interface, text, application Description automatically generated](./media/clip_image015.png) - -1.1.1 To create a PA token, follow the instructions here: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token - -1.1.2 Ensure the PA token has the following permissions: - -![Graphical user interface, text, application Description automatically generated](./media/github_developer_createPAT.png) - -> For Microsoft employees who are enrolled into the Azure GitHub organization, you must also authorize the PA token to this Org! - -![Graphical user interface, text, application, email Description automatically generated](./media/github_developer_enablesso.png) - -![Graphical user interface, text, application, email Description automatically generated](./media/github_developer_disablesso.png) - -1.2 Lastly, a Service Principal is required for Git to authenticate to – and be authorized to your Azure tenant. You can either use an existing Service Principal or create a new one. The Service Principal will be granted *Owner* permission on the top level Management Group that gets created. - -1.2.1 If using an existing Service Principal, ensure you have the *client secret* as this must be provided as the *Password* for the service principal and confirm it has the right level of permission. - -![Graphical user interface, text, application Description automatically generated](./media/clip_image020.jpg) - -1.2.2 If creating a new Service Principal, select "Create New" and click on Make selection” and the portal will open a new blade for app registration - -![img](./media/clip_image022.png) - - ![img](./media/clip_image024.png) - -Once the App has been registered, you must explicitly create a new secret. - - ![img](./media/clip_image026.png) - - ![img](./media/clip_image028.jpg) - -Make sure to note down the “Value” of the new client secret. - ![img](./media/clip_image030.jpg) - -The default API Permissions for this App are “User.Read”, as depicted below: - -![img](./media/clip_image032.jpg) - - After copying the secret, go to “Azure landing zone accelerator” (in the upper left) to return to the deployment. - - ![img](./media/clip_image034.png) - - At this point, paste the client secret value of the newly created client secret from a few step above into the Password field. - - ![Graphical user interface, application Description automatically generated](./media/clip_image035.png) - - ### Network topology and connectivity On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology (for this scenario, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA"), provide the address space to be assigned to the hub virtual network, select an Azure region where the hub virtual network will be created and provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. For this example, we will select the "Hub and spoke with Azure Firewall" network topology. @@ -164,7 +116,6 @@ Depending on your requirements, you may choose to deploy additional network infr ![img](./media/clip_image036b.png) - ### Identity On the *Identity* blade you can specify if you want to assign recommended policies to govern identity and domain controllers. If you decide to enable this feature, you do need to provide an empty subscription for this. You can then select which policies you want to get assigned, and you will need to provide the address space for the virtual network that will be deployed on this subscription. Please note that this virtual network will be connected to the hub virtual network via VNet peering. @@ -186,234 +137,6 @@ As part of the policies that you can assign to your landing zones, the Azure lan ![Graphical user interface, text, application, email Description automatically generated](./media/clip_image039.jpg) -### Validation post deployment (GitHub) - -Once Azure landing zone has deployed and you enabled the CI/CD bootstrap, you should validate in your GitHub account that: - -* A new repository has been created, with the name provided during setup. - -![Graphical user interface, text, application Description automatically generated](./media/clip_image040.png) - -* 4 Secrets are created into this GitHub repository. - - ARM_CLIENT_ID = Service Principal - - ARM_CLIENT_SECRET = Service Principal Client Secret created in the Tenant - - ARM_SUBSCRIPTION_ID = The management subscription ID created in the Tenant - - ARM_TENANT_ID = Tenant ID of the Azure Tenant that was used to create ESLZ - -![img](./media/clip_image042.jpg) - -* A Pull Request is either in progress or has completed and automatically merged into the main branch. Using the "AzOps - Pull" workflow. - -![img](./media/clip_image044.png) - -* The Azure hierarchy that is created using ARM templates as part of the Azure landing zone setup, such as management groups, subscription organization as well as policy definitions, policy assignments and role assignments are pulled and organized into the GitHub repository: - -![AzOps Initial Pull Commit](./media/azops-initial-commit.png) - - -* In each folder, you will find the ARM templates that were deployed at the scopes during the Azure landing zone accelerator setup. E.g., on the intermediate root group, you will find all policy definitions, and depending on the selection you made during the deployment, you will find resource templates in the platform subscriptions. Users can – whenever they are ready, start using these templates and bring their own templates to manage the platform using ARM templates and infrastructure as code. - -![AzOps - Inside root folder](./media/azops-inside-root-dir.png) - ## Post deployment activities Once Azure landing zones has deployed, you can grant your application teams/business units access to their respective landing zones. Whenever there’s a need for a new landing zone, you can place them into their respective management groups (Online or Corp) given the characteristics of assumed workloads and their requirements. - -## Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions) - -When you have deployed Azure landing zone accelerator with GitHub integration, you will have a ready-to-go repository with integrated GitHub Actions containing all the ARM templates that were used during deployment, organized in the following way: - -* Management group tree structure represented as folders in Git - -* Subscriptions represented as folders in their respective management group folder in Git - -* Resource Groups represented as folders in their respective subscription folder in Git - -* Policy Definitions, Policy Set Definitions, Role Definitions, and Role Assignments as composite ARM resource templates partitioned at the folder representing the respective scope in Azure (management group, subscription) - -* Resources (e.g., virtual networks, Log Analytics workspace, Automation account etc.) represented as composite ARM resource templates into their respective resource group (folder) - -You can edit/update the existing ARM templates in your repository and GitHub actions will push (deploy) to the respective Azure scope. You can also author and bring your own ARM templates and deploy them to the respective Azure scope. - -The following section will demonstrate how one can operationalize Azure landing zones accelerator using ARM templates, via the GitHub repository that got created using AzOps (GitHub Actions). - -### What is AzOps? - -AzOps is an opinionated CI/CD pipeline to operationalize the Azure *platform* and *landing zones* that enables organizations to focus on the ARM template development, and not having to deal with multiple deployment scripts targeting different Azure scopes. The organization and folder structure in Git is dynamically representing the Azure graph (management groups (parent, child relationships), and subscription organization), so the platform operators can easily determine at which *scope* they want to invoke the ARM template deployment by simply making a PR with the ARM template(s) and parameter files (optionally), and AzOps will invoke the deployment accordingly. - -Also, when there’s a new *scope* (management groups, subscriptions, and resource groups) being created, either explicitly via the pipeline – and also out of band (via Portal, CLI, PS etc.), AzOps will discover these and represent them correctly back into Git. - -### Create new Policy Assignment for validation - -Azure landing zones Policy Driven Governance principle relies on Azure Policy to determine the goal state of the overall platform. As an example, this exercise will demonstrate how a developer can make a new policy assignment at the “Online” landing zone management group scope. - -1. In GitHub, navigate to your repository and click on the `root` folder. From here, navigate to your -online folder which represents the management group for all your online landing zones. - -![AzOps - path to online folder](./media/azops-online-path.png) - -2. Click on ‘Add file’, and ‘Create new file’. - -3. Name the file `locationAssignment.json` - -4. Copy and paste the following ARM template json - -``` json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentEnforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "DoNotEnforce", - "metadata": { - "description": "Input will determine if the policyAssignment should be enforced or not." - } - }, - "policyDefinitionId": { - "type": "string", - "defaultValue": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "metadata": { - "description": "Provide the policyDefinition resourceId" - } - }, - "policyAssignmentName": { - "type": "string", - "defaultValue": "AllowedLocations" - }, - "policyDescription": { - "type": "string", - "defaultValue": "Policy to ringfence Azure regions." - }, - "listOfAllowedLocations": { - "type": "array", - "defaultValue": [ - "westeurope", - "northeurope" - ] - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[parameters('policyAssignmentName')]", - "identity": { - "type": "SystemAssigned" - }, - "location": "[deployment().location]", - "properties": { - "description": "[parameters('policyDescription')]", - "displayName": "[parameters('policyDescription')]", - "policyDefinitionId": "[parameters('policyDefinitionId')]", - "enforcementMode": "[parameters('policyAssignmentEnforcementMode')]", - "parameters": { - "listOfAllowedLocations": { - "value": "[parameters('listOfAllowedLocations')]" - } - } - } - } - ] -} -``` - -5. Examine the file and note that we are using default values for the parameters. You could modify these, or you could also provide a `locationAssignment.parameters.json` file to provide the parameters. - -6. On the ‘Commit new file’ option, select ‘Create a new branch for this commit and start a pull request’, and give it a name. - -![AzOps - Create PR from GitHub](media/azops-create-pr.png) - -7. Click ‘Propose new file' and on the next page, click 'Create Pull Request." A new Pull Request is being created which will trigger the "AzOps - Validate" workflow. Go to Actions to monitor the process. - -![AzOps - Validate Workflow](media/azops-pr-validate-action.png) - -8. Once completed, the pull request will show WhatIf results as a comment. - -![AzOps - Validate comment in Pull Request](media/azops-pr-validate-comment.png) - -9. You should review the comment and then approve the pull request by completing the pull request by clicking "Squash and merge". You can also delete the branch once the merge has completed. - -10. This will then kick-off the "AzOps - Push" workflow, that can be monitored under actions. - -![AzOps - Push workflow](media/azops-push-workflow.png) - -11. In Azure portal, you can navigate to the -online management group and verify that the deployment resource got created and deployed successfully. Each deployment invoked via AzOps will have an ‘AzOps’ prefix. - -![AzOps - ARM Deployment](media/azops-deployment.png) - -12. Navigate to ‘Policies’ on the -online management group and verify that there’s a new assignment called ‘Policy to ring-fence Azure regions’. - -![AzOps - Policy Assigned](media/azops-policy-assigned-online.png) - -13. Click on ‘Edit assignment’ to verify that the Policy is not being enforced but will only scan for compliance and validate resources per the policy rule defined in the policy definition. - -![AzOps - Policy Disabled](media/azops-policy-disabled.png) - -Once the policy compliance scan has completed, you will get a compliance result for the policy you assigned to validate the effect is working as intended, before going to the next step to update the enforcement mode. I.e., this policy will prevent resources being created outside of the allowed locations specified. - -### Update a Policy Assignment to enforce - -In this exercise, we will modify the existing policy assignment to ensure the policy effect will be enforced. - -1. Navigate the locationAssignment.json file you placed into the -online folder, representing the online landing zone. - -2. Click on ‘Edit this file’ ![img](./media/clip_image063.png) - -3. Change the parameter “policyAssignmentEnforcementMode” default value to be ‘Default’. - -![Graphical user interface, text, application, email Description automatically generated](./media/clip_image065.jpg) - -1. On the ‘Commit changes’ dialogue box, select ‘Create a new branch for this commit and start a pull request’, and provide a branch name. Click ‘Propose changes’ and create the pull request - -![Graphical user interface, text, application, email Description automatically generated](./media/ESLZ-Update-location-assignment-policy.JPG) - -This will now start the same process as above by validating and showing a WhatIf output as a comment on the pull request. Once reviewed, approved and merged the AzOps push workflow will trigger and deploy the template with the updated property so that the policy effect will be enforced (in this case, deny resource creation outside of the ringfenced Azure regions). - -Once the job has completed, you can revisit the policy in Azure portal and see that the policy enforcement is set to ‘Enabled’. - -![AzOps - Policy Assignment Mode Changed](media/azops-policy-enforcement-mode-change.png) - -### Create new Role Assignment on a landing zone - -To grant a user, a group, or a service principal access to a landing zone (subscription), you can use the following ARM template where you provide the principalId (object id of the user, group, or service principal) as input to the parameter, and place the template into the subscription folder into your landing zone management group(s). - -Replace Provide-Principal-Id with ID of the principal. - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "principalId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the objectId of the principal (user, group, SPN, managed identity etc.) that will be granted RBAC at scope." - } - }, - "roleDefinitionId": { - "type": "string", - "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c", - "metadata": { - "description": "Provide the id of the built-in roleDefinition. Default is 'Contributor'." - } - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2017-09-01", - "name": "[guid(parameters('principalId'))]", - "properties": { - "principalId": "[parameters('principalId')]", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]" - } - } - ] -} -``` diff --git a/docs/wiki/FAQ.md b/docs/wiki/FAQ.md index 7f79cbd55d..efe22b8065 100644 --- a/docs/wiki/FAQ.md +++ b/docs/wiki/FAQ.md @@ -12,6 +12,7 @@ - [What happens if I have existing Management Groups that have the same Name/IDs as ones that will be deployed in the ALZ Portal Accelerator?](#what-happens-if-i-have-existing-management-groups-that-have-the-same-nameids-as-ones-that-will-be-deployed-in-the-alz-portal-accelerator) - [What are the ALZ Portal Accelerator Management Group Name/IDs that are created?](#what-are-the-alz-portal-accelerator-management-group-nameids-that-are-created) - [Why hasn't Azure landing zones migrated to the Azure Monitor Agent yet?](#why-hasnt-azure-landing-zones-migrated-to-the-azure-monitor-agent-yet) +- [What is the impact of GitHub Releases and ALZ?](#what-is-the-impact-of-github-releases-and-alz) --- @@ -72,8 +73,8 @@ The following implementation options are available when you use infrastructure-a - The [Azure landing zone accelerator](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#azure-landing-zone-accelerator) portal-based experience can integrate and bootstrap a CI/CD pipeline using GitHub with [AzOps](https://github.com/Azure/AzOps) as documented at [Deploying Enterprise Scale](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale). - The [Enterprise-scale Do-It-Yourself (DIY) ARM templates](https://github.com/Azure/Enterprise-Scale/tree/main/eslzArm#enterprise-scale-landing-zones-arm-templates) method -- The [Terraform Module for Cloud Adoption Framework Enterprise-scale](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale#terraform-module-for-cloud-adoption-framework-enterprise-scale) -- The [Azure Landing Zone (formerly Enterprise-scale) Bicep Modules - Public Preview](https://github.com/Azure/ALZ-Bicep) +- The [ALZ Terraform module](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale#terraform-module-for-cloud-adoption-framework-enterprise-scale) +- The [ALZ Bicep modules](https://github.com/Azure/ALZ-Bicep) ## If we already deployed enterprise-scale architecture without using infrastructure-as-code, do we have to delete everything and start again to use infrastructure-as-code? @@ -105,7 +106,7 @@ To see a demo of Terraform being used, check out this YouTube video on the Micro ## The `AzureDiagnostics` table in my Log Analytics Workspace has hit the 500 column limit, what should I do? -In larger environments that uses a range of different Azure services and associated features it can be common for you to hit the [500 maximum columns in a table limit](https://learn.microsoft.com/azure/azure-monitor/service-limits#log-analytics-workspaces). When this occurs data is not lost however, it is instead stored in a column called `AdditionalFields` as a dynamic property. +In larger environments that uses a range of different Azure services and associated features it can be common for you to hit the [500 maximum columns in a table limit](https://learn.microsoft.com/azure/azure-monitor/service-limits#log-analytics-workspaces). When this occurs data is not lost however, it is instead stored in a column called `AdditionalFields` as a dynamic property. However, some customers may not want this as it can make it more difficult and complex to query the data when the 500 column limit is breached and data is stored in the `AdditionalFields` column. @@ -119,13 +120,13 @@ To overcome this issue the Azure Monitor team has created a new collection type As of today only a limited number of services support the [**Resource-specific** collection mode](https://learn.microsoft.com/azure/azure-monitor/essentials/resource-logs#resource-specific) which are listed [here.](https://learn.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics#azure-diagnostics-mode-or-resource-specific-mode) -We are working closely with the relevant Azure engineering teams to ensure the services add support for the [**Resource-specific** collection mode](https://learn.microsoft.com/azure/azure-monitor/essentials/resource-logs#resource-specific) and also create/update the [built-in Azure Policies](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#built-in-policy-definitions-for-azure-monitor) so we can then utilise them as part of our solution. +We are working closely with the relevant Azure engineering teams to ensure the services add support for the [**Resource-specific** collection mode](https://learn.microsoft.com/azure/azure-monitor/essentials/resource-logs#resource-specific) and also create/update the [built-in Azure Policies](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#built-in-policy-definitions-for-azure-monitor) so we can then utilise them as part of our solution. Stay tuned to our [What's New page](https://github.com/Azure/Enterprise-Scale/wiki/Whats-new) where we will be announcing when we migrate services to the new collection type. Also watch [Azure Updates](https://azure.microsoft.com/updates/) for announcements from service teams for adding support to their services for this collection type. ## What happens if I have existing Management Groups that have the same Name/IDs as ones that will be deployed in the ALZ Portal Accelerator? -As raised in issue [#1080](https://github.com/Azure/Enterprise-Scale/issues/1080) it is possible for you to deploy the ALZ Portal Accelerator in a AAD Tenant with existing Management Groups. If these existing Management Groups have the same Name/ID (not Display Name) as the ones deployed as part of the ALZ Portal Accelerator these existing Management Groups will be targeted in the deployment and brought into the ALZ hierarchy and deployment. This means that the Management Groups will be: +As raised in issue [#1080](https://github.com/Azure/Enterprise-Scale/issues/1080) it is possible for you to deploy the ALZ Portal Accelerator in a Microsoft Entra Tenant with existing Management Groups. If these existing Management Groups have the same Name/ID (not Display Name) as the ones deployed as part of the ALZ Portal Accelerator these existing Management Groups will be targeted in the deployment and brought into the ALZ hierarchy and deployment. This means that the Management Groups will be: - Display Name will be changed to ALZ default for that Management Group - Moved into the ALZ Management Group hierarchy @@ -156,16 +157,62 @@ The Management Group Names/IDs created via the ALZ Portal Accelerator Deployment ## Why hasn't Azure landing zones migrated to the Azure Monitor Agent yet? -Great question! Don't worry we are aware of this required migration and change to Azure landing zones with the Log Analytics Agent (Microsoft Monitoring Agent - MMA) being retired in August 2024 as detailed here: [Migrate to Azure Monitor Agent from Log Analytics agent](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-migration). +**Update January 2024** We have been working on the removal of MMA from ALZ and the first step in the overall removal process is to update the ALZ Portal reference implementation (greenfield deployments) which has now been updated. Our next step is to work on the deployment to Terraform and Bicep reference implementations which requires significant investment to minimise impact to existing customers and providing clear guidance for the transition. For more details please see [Azure Monitor Agent Update](./ALZ-AMA-Update.md). -We are working hard internally with the Azure Monitor Product Group (PG) to ensure everything that Azure landing zones requires and gets from the Log Analytics Agent (Microsoft Monitoring Agent - MMA) approach today is covered and has a path for migration to the Azure Monitor Agent (AMA) approach. This has been underway for sometime and continues to progress. +### What if we are not ready to make the switch and migrate, right now? -The AMA agent brings a number of new concepts, resources and changes to existing integrations with other services, such as Microsoft Defender for Cloud, that all require validation by each of the associated PGs as well as the Azure landing zone team, prior to migrating to AMA from MMA. +Another good question. You will need to plan, and complete, the migration to the Azure Monitor Agent before the Log Analytics Agent is retired as [documented here.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/) -We will, when ready, provide Azure landing zones specific migration guidance that supports existing and to be created PG documentation. We will also make the relevant changes to each of the implementation options (Portal, Bicep, Terraform) to support the migration, especially for greenfield scenarios. +### Where do I find more information about the Azure Monitor Baseline Alerts initiative included in the Azure landing zones Portal Accelerator? -> We have an existing GitHub Issue ([#1055](https://github.com/Azure/Enterprise-Scale/issues/1055)) opened for this feature request. Please feel free to give it a 👍 or add a comment. +Great question! As this is maintained in a repository outside of the Azure landing zones repository please refer to [Azure Monitor Baseline Alerts wiki](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz) for more details. -### What if we are not ready to make the switch and migrate, right now? +## What is the impact of GitHub Releases and ALZ? -Another good question. You will need to plan, and complete, the migration to the Azure Monitor Agent before the Log Analytics Agent is retired as [documented here.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/) +As you may have noticed, as of end September 2023, Azure Landing Zone has started publishing GitHub Releases after significant changes are merged into the `main` branch. The ALZ team uses the GitHub Releases to publish the latest version of the Azure Landing Zone and Portal Accelerator, enabling the tracking and pinning of release versions to a specific date. This is a common practice for many open source projects and we are excited to be able to provide this capability to our customers and partners. + +There are two significant benefits to enabling GitHub Releases: + +- **Versioning** - The ALZ team will publish a new release for each significant change that is merged into the `main` branch. This will enable customers and partners to pin their deployments to a specific version of ALZ and the Portal Accelerator, enabling them to control when they upgrade to the latest version. Downstream services (e.g. Bicep, Terraform, deliveries, etc) that rely on ALZ can also pin to a specific version of ALZ, enabling them to control the version they work with and when they upgrade to the next/latest version. This also enables the powerful release compare capability that allows customers and partners to compare the differences between releases. +- **Release notes** - The ALZ team will publish release notes for each release, providing a summary of the changes that have been made since the previous release. This will enable customers and partners to understand what has changed and what they need to do to upgrade to the latest version. + +### What if I always want the latest release of ALZ? + +If you always want to deploy the latest release of ALZ, you can use the `main` branch. The `main` branch will always contain the latest release of ALZ and the Portal Accelerator. However, we recommend that you pin to a specific release version, as this will enable you to control when you upgrade to the latest version. + +### How does this impact me if I am using the ALZ Portal Accelerator? + +If you are using the ALZ Portal Accelerator, you will not notice any changes. The ALZ Portal Accelerator will continue to work as it does today. However, should you wish to deploy a previous release of ALZ using the Portal Accelerator, you can do so using the GitHub Release. + +Instead of deploying from the `main` branch: + +```URI +https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2FeslzArm%2Feslz-portal.json +``` + +You may choose to deploy the 2023-10-17 release (note the change from `main` to `2023-10-17` in the URI): + +```URI +https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2F2023-10-17%2FeslzArm%2FeslzArm.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2F2023-10-17%2FeslzArm%2Feslz-portal.json +``` + +### How do I browse a specific release of ALZ in GitHub? + +You can browse a specific release of ALZ in GitHub by using the `tags` feature. For example, to browse the 2023-10-17 release of ALZ, you can use the Switch branches/tags dropdown and select the 2023-10-17 tag. + +![GitHub Tags](media/2023-10-30_RepoTags.png) + +### Why some managed services will potentially fail to deploy to ALZ and how to work around this issue? + +There may be circumstances in which deploying services into ALZ are blocked by policy, as an example, managed services that can potentially fail to deploy to ALZ due to being blocked by enforced policies, such as public network access should be disabled for PaaS services or deny network interfaces having a public IP associated. +When a service is deployed to ALZ, be mindful of default ALZ Policies and understand which policy is being violated. If the service such a Service Fabric Managed Cluster fails due to security reasons, you can follow several workarounds: + +- create an exclusion where you can exclude a specific scope of resources to be excluded from the policy assignment +- create a temporary policy exemption where you can exclude a specific scope of resources to be excluded from the policy assignment for the duration of deployment (recommended) + +Azure Policy exemptions are used to exempt a resource hierarchy or an individual resource from evaluation of a definition. Resources that are exempt count toward overall compliance but can't be evaluated or have a temporary waiver. +If you want to monitor a resource that is non-compliant by design, you may use an exemption. If you do not want to monitor a resource by a default policy, you may use an exception. + +### When can I deploy ALZ to new Azure Regions? + +As new Azure regions come online, they are rolled out in a phased approach and whilst the region may be available for use, not all features may be available during the early period. For Azure landing zones this means that you may experience unexpected deployment failures where certain components may not be available. As ALZ provides different options and selections no 2 deployments may be the same and therefore deployment outcomes can differ. Should you experience an issue deploying ALZ to a new region please raise a support ticket for review. \ No newline at end of file diff --git a/docs/wiki/How-Enterprise-Scale-Works.md b/docs/wiki/How-Enterprise-Scale-Works.md index fe8456240d..81bdfd6a10 100644 --- a/docs/wiki/How-Enterprise-Scale-Works.md +++ b/docs/wiki/How-Enterprise-Scale-Works.md @@ -48,13 +48,13 @@ One of the key tenets of Enterprise-Scale is to have a clear separation of the A Platform resource are managed by a cross-functional platform team. The team consist mainly out of the following functions. These functions working in close collaboration with the SME functions across the organization: -- **PlatformOps:** Responsible for management and deployment of control plane resource types such as subscriptions, management groups via IaC and the respective CI/CD pipelines. Management of the platform-related identity resources on Azure AD and cost management for the platform. Operationalization of the platform for an organization is under the responsibility of the platform function. +- **PlatformOps:** Responsible for management and deployment of control plane resource types such as subscriptions, management groups via IaC and the respective CI/CD pipelines. Management of the platform-related identity resources on Microsoft Entra ID and cost management for the platform. Operationalization of the platform for an organization is under the responsibility of the platform function. - **SecOps:** Responsible for definition and management of Azure Policy and RBAC permissions on the platform for landing zones and platform management groups and subscriptions. Security operations including monitoring and the definition & operation of reporting and auditing dashboard. - **NetOps:** Definition and management of the common networking components in Azure including the hybrid connectivity and firewall resource to control internet facing networking traffic. NetOps team is responsible to handout virtual networks to landing zone owners or team. ## Landing zone owners responsibilities -Enterprise-scale landing zones support both centralized and federated application DevOps models. The most common model are dedicated **DevOps** teams which are each associated with a single workload. In case of smaller workloads, COTS, or 3rd party applications, a single **AppDevOps** team is responsible for the workload's operation. Independent of the model every DevOps team manages several workload staging environments (DEV, UAT, PROD), deployed to individual landing zones /subscriptions. Each landing zone has a set of RBAC permissions managed with Azure AD PIM provided by the Platform SecOps team. +Enterprise-scale landing zones support both centralized and federated application DevOps models. The most common model are dedicated **DevOps** teams which are each associated with a single workload. In case of smaller workloads, COTS, or 3rd party applications, a single **AppDevOps** team is responsible for the workload's operation. Independent of the model every DevOps team manages several workload staging environments (DEV, UAT, PROD), deployed to individual landing zones /subscriptions. Each landing zone has a set of RBAC permissions managed with Microsoft Entra PIM provided by the Platform SecOps team. When the landing zones / subscriptions are handed over to the DevOps team, the team is end-to-end responsible for the workload. They can operate within the security guardrails provided by the platform team independently. If dependencies on central teams or functions are discovered, it is highly recommended to review the process and eliminate these as soon as possible to unblock DevOps teams. @@ -92,7 +92,7 @@ By default, all recommended settings and resources recommendations are enabled a - Azure Security Center (Standard or Free tier) - Azure Sentinel - - Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics + - Diagnostics settings for Activity Logs, VMs, Management Groups and PaaS resources sent to Log Analytics - When deploying [**Adventure Works**](./ALZ-Deploy-reference-implementations#deploy-a-reference-implementation) or [**Contoso**](./ALZ-Deploy-reference-implementations#deploy-a-reference-implementation): An Azure subscription dedicated for **Connectivity**, which deploys core Azure networking resources such as: diff --git "a/docs/wiki/Migrate-ALZ-Policies-to-Built\342\200\220in.md" "b/docs/wiki/Migrate-ALZ-Policies-to-Built\342\200\220in.md" index b75d5aff30..681dd290b7 100644 --- "a/docs/wiki/Migrate-ALZ-Policies-to-Built\342\200\220in.md" +++ "b/docs/wiki/Migrate-ALZ-Policies-to-Built\342\200\220in.md" @@ -12,7 +12,7 @@ This article describes how to migrate ALZ custom policies and policy initiatives There are the following scenarios for ALZ custom policies being superseded by Azure built-in policies, listed in increasing order of complexity: 1. A single ALZ custom policy, which is not assigned anywhere in your Azure estate, is superseded by an Azure built-in policy. This is the simplest scenario, and is not covered in more detail. 2. A single ALZ custom policy, which is assigned at one or more scopes in your Azure estate, is superseded by an Azure built-in policy. The process for managing this is described in [Migrate single ALZ custom policy to built-in policy](#migrate-single-pol). -3. One or more ALZ custom policies, assigned via ALZ custom policy intiative, which are superseded by Azure built-in policies. The process for managing this is described in [Migrate ALZ custom policies in initiatives to built-in policies](#migrate-multiple-pol). +3. One or more ALZ custom policies, assigned via ALZ custom policy initiative, which are superseded by Azure built-in policies. The process for managing this is described in [Migrate ALZ custom policies in initiatives to built-in policies](#migrate-multiple-pol). ### Migrate single ALZ custom policy to built-in policy For this scenario we will use the ALZ custom policy _Deny the creation of public IP_ which will be migrated to the built-in policy _Not allowed resource types_ diff --git a/docs/wiki/Update-ALZ-Custom-Policies-to-Latest.md b/docs/wiki/Update-ALZ-Custom-Policies-to-Latest.md index 1a221e1b6d..fd55dd5cec 100644 --- a/docs/wiki/Update-ALZ-Custom-Policies-to-Latest.md +++ b/docs/wiki/Update-ALZ-Custom-Policies-to-Latest.md @@ -28,7 +28,7 @@ These are the following scenarios for ALZ custom policies being updated to lates ### Updating one or more ALZ custom policies to newer ALZ custom policy -For this scenario we will use the ALZ custom policy *Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace*. +For this scenario we will use the ALZ custom policy *Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace*. Considering no parameters have changed, this is a simple exercise that consists of replacing the policy definition content with the latest policy definition. While it is possible to update the policy definition via the portal GUI, there are some properties than can't be updated, like version. To minimize errors and include all updated policy definition properties, we will be updating this policy via a PowerShell script. @@ -75,7 +75,7 @@ Before we begin, we need to identify the policy definition name and location to ### Updating one or more ALZ custom policies to newer ALZ custom policy with updated parameters -For this scenario, we will use the ALZ custom policy *Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace*. Even though this policy doesn't have any updated parameters, we will walk through the steps as though it does. +For this scenario, we will use the ALZ custom policy *Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace*. Even though this policy doesn't have any updated parameters, we will walk through the steps as though it does. - Go to [Azure Portal](https://portal.azure.com) - Open Policy @@ -243,7 +243,7 @@ For this scenario we will use the ALZ custom initiative _Deploy Diagnostic Setti if ($policyDefId -match '(\/\w+\/\w+\.\w+\/\w+\/)(\w+)(\/.+)') { $policyDefinitionName = $policyDefId.substring($policyDefId.lastindexof('/') + 1) $policyDefinitionPath = "./$($policyDefinitionName).json" - Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/src/resources/Microsoft.Authorization/policyDefinitions/$($policyDefinitionName).json" -OutFile $policySetDefinitionPath + Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/src/resources/Microsoft.Authorization/policyDefinitions/$($policyDefinitionName).json" -OutFile $policyDefinitionPath $policyDef = Get-Content $policyDefinitionPath | ConvertFrom-Json -Depth 100 $policyName = $policyDef.name $displayName = $policyDef.properties.displayName diff --git a/docs/wiki/What-is-Enterprise-Scale.md b/docs/wiki/What-is-Enterprise-Scale.md index 23bc122d47..11d16ce468 100644 --- a/docs/wiki/What-is-Enterprise-Scale.md +++ b/docs/wiki/What-is-Enterprise-Scale.md @@ -25,7 +25,7 @@ The following table outlines key customer requirements in terms of landing zones | Best-practices from cloud provider | Yes. Proven and validated with customers | | Be aligned with cloud provider's platform roadmap | Yes. | | UI Experience and simplified setup | Yes. Via the Azure portal | -| All critical services are present and properly configured according to recommended best practices for identity & access management, governance, security, network and logging | Yes. Using a multi-subscription design, aligned with Azure platform roadmap | +| All critical services are present and properly configured according to recommended best practices for identity & access management, governance, security, network, monitoring and logging | Yes. Using a multi-subscription design, aligned with Azure platform roadmap | | Automation capabilities (IaC/DevOps) | Yes. ARM/Bicep, Terraform, Azure Policy, GitHub/Azure DevOps CI/CD pipeline options included | | Provides long-term self-sufficiency | Yes. Enterprise-scale architecture -> 1:N landing zones. Approach & architecture prepare the customer for long-term self-sufficiency. The RIs reference implementations are there to get you started | | Enables migration velocity across the organization | Yes. Enterprise-scale Scale architecture -> 1:N landing zones. Architecture includes designs for segmentation and separation of duty to empower teams to act within appropriate landing zones | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 71ca75c018..9b8d8b28d6 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,28 +1,26 @@ ## In this Section -- [In this Section](#in-this-section) - [Updates](#updates) - - [March 2023](#march-2023) - - [February 2023](#february-2023) - - [January 2023](#january-2023) - - [December 2022](#december-2022) - - [November 2022](#november-2022) - - [October 2022](#october-2022) - - [September 2022](#september-2022) - - [August 2022](#august-2022) - - [July 2022](#july-2022) - - [June 2022](#june-2022) - - [May 2022](#may-2022) - - [April 2022](#april-2022) - - [February 2022](#february-2022) - - [January 2022](#january-2022) - - [December 2021](#december-2021) - - [November 2021](#november-2021) - - [October 2021](#october-2021) - - [September 2021](#september-2021) - - [August 2021](#august-2021) - - [July 2021](#july-2021) - - [June 2021](#june-2021) + - [August 2024](#august-2024) + - [July 2024](#july-2024) + - [June 2024](#june-2024) + - [🆕 AMA Updates](#-ama-updates) + - [🔃 Policy Refresh H2 FY24](#-policy-refresh-h2-fy24) + - [May 2024](#may-2024) + - [April 2024](#april-2024) + - [March 2024](#march-2024) + - [February 2024](#february-2024) + - [AMA Update for the Portal Accelerator](#ama-update-for-the-portal-accelerator) + - [🔃 Policy Refresh Q2 FY24](#-policy-refresh-q2-fy24) + - [January 2024](#january-2024) + - [December 2023](#december-2023) + - [November 2023](#november-2023) + - [October 2023](#october-2023) + - [September 2023](#september-2023) + - [August 2023](#august-2023) + - [July 2023](#july-2023) + - [June 2023](#june-2023) + - [Previous Updates](#may-2023) --- @@ -33,13 +31,12 @@ Enterprise Scale/Azure Landing Zones is updated regularly. This page is where yo - Improvements to existing guidance and artifacts - Azure Policy changes - Bug fixes + - Updated broken links in [Deploying ALZ ZT Network](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-ZTNetwork#azure-landing-zone-portal-accelerator-deployment-with-zero-trust-network-principles) - Tooling updates: - - [AzOps](https://github.com/azure/azops) - - [Releases](https://github.com/Azure/AzOps/releases) - - [Terraform Module for Cloud Adoption Framework Enterprise-scale](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) - - [Releases](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases) - [ALZ-Bicep Modules](https://github.com/Azure/ALZ-Bicep) - [Releases](https://github.com/Azure/ALZ-Bicep/releases) + - [Terraform Module for Cloud Adoption Framework Enterprise-scale](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale) + - [Releases](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases) > **Note:** Please check the latest release notes for each of the tools, as these will contain more detailed notes relating to changes in each of the tools. @@ -51,12 +48,542 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### August 2024 + +> NOTE TO CONTRIBUTORS: Due to security compliance requirements, we've made core changes that mean we no longer automatically build the policies, initiatives and roles templates after changes in the `src` folder are committed. This means that you as a contributor must run the bicep build commands to generate the required outputs as part of your pull request. Depending on the files you've updated these are the commands (assuming you have bicep installed): +> +> - `bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json` +> - `bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json` +> - `bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json` + +#### Other + +- Cleaned up the Log Analytics "solutions" in portal ARM template, as these are no longer required and deployed by ALZ. +- Re-introduced the option to enable "Sentinel" in the portal accelerator. +- Updated Microsoft Sentinel onboarding (enablement) using the new mechanism that fixes issues after 1 July 2024. Microsoft Sentinel is enabled by default through the portal accelerator as a best practice - we do not however configure any data connectors, we only enable the service. Should you wish to remove this, you can delete the association from the Azure Portal after deployment from the "Sentinel" feature blade. + +### July 2024 + +#### Policy + +- Alignment of **allowedValues** in the following initiatives with those used in the included policyDefinitions: + - [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html) + - [Enforce recommended guardrails for Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) + - [Enforce recommended guardrails for Network and Networking services](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) + - [Enforce recommended guardrails for Synapse workspaces](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Synapse.html) + +### June 2024 + +#### Documentation + +- As the Log Analytics agent is set to be retired on August 31, 2024, it is crucial for users to plan their migration to avoid any disruption in their monitoring services. The migration involves understanding the current setup, including agents, workspaces, solutions, insights, and data collections, and then configuring the new data collections to ensure a smooth transition. Tools like the AMA Migration Helper and DCR Config Generator can assist in automating and tracking the migration process. We've now made available [migration guidance](./ALZ-AMA-Migration-Guidance) to assist in the process. +- Developed a script to facilitate the transition from Microsoft Monitoring Agent (MMA) to Azure Monitor Agent (AMA) within Azure landing zones. Review the [migration guidance](./ALZ-AMA-Migration-Guidance) for additional information on how the script can be used. +- General update AMA documentation [ALZ AMA Update](./ALZ-AMA-Update) + +#### Policy + +- Added new custom policy [Do not allow deletion of specified resource and resource type](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect. +- Updated the custom policy [Deploy-ASC-SecurityContacts](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-ASC-SecurityContacts.html) as part of the [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/deploy-mdfc-config.html) initiative to use the new API and revised construct for the Security Contact API in Defender for Cloud (`alertNotications` alias has been deprecated, and replaced by `notificationSources`). + +#### Other + +- 12th June 2024 ALZ External Community Call recording and slides uploaded and shared [here](https://aka.ms/alz/community) + +### 🆕 AMA Updates + +The ALZ Portal Accelerator has been enhanced with the latest AMA updates, ensuring a seamless and efficient management experience. 🚀 + +Key updates include: + +- Azure Landing zones is now using a single centralized User Assigned Managed Identity. The centralization of User Assigned Managed Identity for Azure Monitor Agent (AMA) marks a significant advancement in our ability to manage large-scale deployments efficiently. + - The User Assigned Managed Identity `id-ama-prod--001` is created in resource group `-mgmt` in the management subscription or in the platform subscription when selecting 'Single' in the Platform subscription options. + - The feature flag `restrictBringYourOwnUserAssignedIdentityToSubscription` has been added to the policies and initiatives that enables the use of a single centralized User Assigned Managed Identity. + - `restrictBringYourOwnUserAssignedIdentityToSubscription` set as True (Policy/Initiative default): Restricts the bring your own UAMI to a UAMI from the same subscription as the VM. + - `restrictBringYourOwnUserAssignedIdentityToSubscription` set as False (**ALZ Default**): Removes that restriction and allows you to assign your own UAMI from any subscription within the tenant/ scope of assignment. + - We've updated the following built-in policy initiatives to support single User Assigned Managed Identities: + - [Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/924bfe3a-762f-40e7-86dd-5c8b95eb09e6.html) + - [Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/f5bf694c-cca7-4033-b883-3a23327d5485.html) + - [Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) + - [[Preview]: Enable ChangeTracking and Inventory for virtual machines](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/92a36f05-ebc9-4bba-9128-b47ad2ea3354.html) + - [[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/c4a70814-96be-461c-889f-2b27429120dc.html) +- Custom [Defender for SQL initiative](https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json) has been deprecated and is replaced by [Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) +- Custom [User Assigned Managed Identity policy](https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json) has been deprecated. UAMI for AMA is now centrally deployed therefore this policy is no longer required. +- When utilizing Portal, ARM, or Bicep, it is necessary to manually remove policy assignments corresponding to deprecated policies. To proceed with the deletion of the assignment, please refer to the Display Name or Assignment Name provided below. + + | Assignment Name | Display Name | Scope of Assignment | + | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | + | Deploy-MDFC-DefenSQL-AMA | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace | Platform Management Group
Landing Zones Management Group | + | Deploy-UAMI-VMInsights | Deploy User Assigned Managed Identity for VM Insights | Landing Zones Management Group | + +### 🔃 Policy Refresh H2 FY24 + +We've missed Q3 timelines completely, but for good reason. We've held back this cycle of Policy Refresh in order to address some key initiatives that we feel are critical to the success of our customers. This is the single largest update to the ALZ Policy since the inception of the project. We're excited to share these updates with you, and we're confident that they will provide significant value to your deployments and the compliance of your Azure Landing Zones. + +- 📌Major Update: New "Workload Specific Compliance" section added to ALZ Portal accelerator. This will allow you to apply compliance policies to specific workloads, such as SQL, Storage, and more. These additional compliance controls are frequently required by highly regulated industries like financial services, healthcare, etc. Note: they are not assigned by default, you are required to select the workload and management group scope to apply assignments. For more information review [ALZ Policy - Extra](./ALZ-Policies-Extra) +This release includes: + - 25 new custom initiatives added to support key Azure workloads/services + - Significantly enhanced [Deny-PublicPaasEndpoints](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaasEndpoints.html) to cover additional services (no public access) + - Significantly enhanced [Enforce-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) to cover additional services (TLS and SSL) + - Significantly enhanced [Enforce-EncryptionCMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptionCMK.html) to cover additional services (customer managed keys) + - 24 new custom policies added for various workloads where no equivalent built-in policy is available (included in the new initiatives) - please note some policies only support the "Audit" effect, and should be overridden as needed. +- 🎉Diagnostic Settings v2 have arrived covering 140 Azure services and greatly simplifying implementation and management. + - Updated the diagnostic settings assignment to use the new built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html) + - Deprecating the ALZ custom diagnostic settings policies (53) and initiative (1) + - NOTE: going forward if you have issues with Diagnostic Settings, please open an Azure support ticket +- Updated [Audit-PublicIpAddresses-UnusedResourcesCostOptimization](https://www.azadvertizer.net/azpolicyadvertizer/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.html) to check for `static` public IP addresses that are not associated with any resources (instead of `not basic`). +- Fixed the bug with [Configure Azure Machine Learning workspace to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/ee40564d-486e-4f68-a5ca-7a621edae0fb.html) policy where `secondPrivateDnsZoneId` parameter was missing which was leaving AML private endpoints incomplete. +- Updated `Audit-PrivateLinkDnsZones` display name to include the fact it can be `audit` or `deny` +- Added the [Configure BotService resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/6a4e6f44-f2af-4082-9702-033c9e88b9f8.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure Azure Managed Grafana workspaces to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/4c8537f8-cd1b-49ec-b704-18e82a42fd58.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure Azure Virtual Desktop hostpool resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/9427df23-0f42-4e1e-bf99-a6133d841c4a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure Azure Virtual Desktop workspace resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/34804460-d88b-4922-a7ca-537165e060ed.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure Azure Device Update for IoT Hub accounts to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/a222b93a-e6c2-4c01-817f-21e092455b2a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure Azure Arc Private Link Scopes to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/55c4db33-97b0-437b-8469-c4f4498f5df9.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Deploy - Configure IoT Central to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure Recovery Services vaults to use private DNS zones for backup](https://www.azadvertizer.net/azpolicyadvertizer/af783da1-4ad1-42be-800d-d19c70038820.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure a private DNS Zone ID for table groupID](https://www.azadvertizer.net/azpolicyadvertizer/028bbd88-e9b5-461f-9424-a1b63a7bee1a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Added the [Configure a private DNS Zone ID for table_secondary groupID](https://www.azadvertizer.net/azpolicyadvertizer/c1d634a5-f73d-4cdd-889f-2cc7006eb47f.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. +- Removed Defender for Cloud for DNS, as this is now deprecated and is included in Defender for Servers. Deprecated [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) initiative, and superseded with [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to minimize breaking change impact on existing deployments. +- Removed Defender for Cloud for APIs, as this is now deprecated due to plan changes for this service. Deprecated [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) initiative, and superseded with [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to minimize breaking change impact on existing deployments. +- Added new initiative and default assignment for [Enforce-Backup](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Backup.html) scoped to the Landing Zones and Platform management groups in Audit mode: + - Added the [[Preview]: Immutability must be enabled for backup vaults](https://www.azadvertizer.net/azpolicyadvertizer/2514263b-bc0d-4b06-ac3e-f262c0979018.html) built-in policy + - Added the [[Preview]: Immutability must be enabled for Recovery Services vaults](https://www.azadvertizer.net/azpolicyadvertizer/d6f6f560-14b7-49a4-9fc8-d2c3a9807868.html) built-in policy + - Added the [[Preview]: Soft delete should be enabled for Backup Vaults](https://www.azadvertizer.net/azpolicyadvertizer/9798d31d-6028-4dee-8643-46102185c016.html) built-in policy + - Added the [[Preview]: Soft delete should be enabled for Recovery Services Vaults](https://www.azadvertizer.net/azpolicyadvertizer/31b8092a-36b8-434b-9af7-5ec844364148.html) built-in policy + - Added the [[Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults.](https://www.azadvertizer.net/azpolicyadvertizer/c58e083e-7982-4e24-afdc-be14d312389e.html) built-in policy + - Added the [[Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults.](https://www.azadvertizer.net/azpolicyadvertizer/c7031eab-0fc0-4cd9-acd0-4497bd66d91a.html) built-in policy +- Added [[Preview]: Azure Recovery Services vaults should disable public network access](https://www.azadvertizer.net/azpolicyadvertizer/9ebbbba3-4d65-4da9-bb67-b22cfaaff090.html) built-in policy to the "Deny-PublicPaaSEndpoints" initiative and assignment. +- Added new initiative and assignment to enable auditing for Trust Launch capable virtual machines which includes the following built-in policies: + - [Disks and OS image should support TrustedLaunch](https://www.azadvertizer.net/azpolicyadvertizer/b03bb370-5249-4ea4-9fce-2552e87e45fa.html) + - [Virtual Machine should have TrustedLaunch enabled](https://www.azadvertizer.net/azpolicyadvertizer/c95b54ad-0614-4633-ab29-104b01235cbf.html) +- Updated ARM deployment for Defender for APIs, which now requires a sub plan be specified. We're defaulting to sub plan "P1", and have confirmed that costs will only be incurred once an API has expressly been onboarded to Defender for APIs. Please thoroughly review Defender for API plans as they related to your environment and adjust the sub plan as needed. +- Deprecated custom policy [Storage Account set to minimum TLS and Secure transfer should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Storage-minTLS.html) and replaced with two built-in policies [Secure transfer to storage accounts should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html) and [Storage accounts should have the specified minimum TLS version](https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html). +- Added new custom policy "Deploy-Private-DNS-Generic" this policy will DINE-configure private DNS zone groups to override the DNS resolution for PaaS services private endpoint. It is generic to enable private DNS zones for the services which supports private DNS but don't have built-in policies available and also for the new services which support private DNS in future. This policy also supports the configuration of the evaluation delay. +- Deprecated [Deploy-EncryptTransit](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit.html) initiative and superseded with [Deploy-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-EncryptTransit_20240509.html) to minimize breaking change impact on existing deployments. +- Fixed the assignment for [Configure periodic checking for missing system updates on azure virtual machines](https://www.azadvertizer.net/azpolicyadvertizer/59efceea-0c96-497e-a4a1-4eb2290dac15.html) to use the correct RBAC role. +- Added new initiative for Microsoft Defender for Endpoints [Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/77b391e3-2d5d-40c3-83bf-65c846b3c6a3.html). + +Special Note: Existing consumers of ALZ will notice that some "assigned by default" initiative assignments have been replaced/renamed to avoid breaking changes to existing assignments. Therefore the below original assignments will need to be deleted, and have the new version assigned instead: + +| Initiative | Display Name | Original Assignment Name | New Assignment Name | Scope of Assignment | +| --- | --- | --- | --- | --- | +| Deploy-MDFC-Deploy | Deploy Microsoft Defender for Cloud configuration | Deploy-MDFC-Deploy | Deploy-MDFC-Config-H224 | Intermediate Root Management Group | +| Deploy-EncryptTransit | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit | Enforce-TLS-SSL | Enforce-TLS-SSL-H224 | Landing Zones Management Group | +| Deploy-Diagnostics-LogAnalytics | Deploy Diagnostic Settings to Azure Services | Deploy-Resource-Diag | Deploy-Diag-Logs | Intermediate Root Management Group | + +### May 2024 + +#### Documentation + +- Archived the readme content in the eslzArm folder as it is no longer relevant. Please refer to the [ALZ Wiki](https://aka.ms/alz/wiki) for the latest information on how to deploy Enterprise-Scale Landing Zones. To view the content that was previously here, refer to the [archive](https://github.com/Azure/Enterprise-Scale/blob/45d5c2bd8c1a9e19b1a46a3a0dabb311e5320b64/eslzArm/README.md). +- Added new instructions for deploying hub and spoke network topology in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region). +- Added new instructions for deploying additional vWAN hubs in [multiple regions](./Deploying-ALZ-HubAndSpoke#deploying-networking-resources-in-an-additional-region). + +#### Tooling + +- Added functionality to deploy platform resources into multiple regions. In the Core settings, you will have the option to deploy resources in a secondary region. If you select **Yes** you will have new options: + - In the **Networking topology and connectivity** tab: + - If you select *Hub and spoke with Azure Firewall* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well. + - If you select *Hub and spoke with your third-party NVA* you will deploy a second hub in a secondary region. You can configure the IP space, VPN Gateway settings, and ExpressRoute Gateway settings for this region. Both of the hubs will be peered, but no routing configured. If you select DDoS protection or to select the creation of Azure Private DNS Zones, these will be linked to the second hub as well. + - If you select *Virtual WAN* you will deploy a second virtual hub in a secondary region, as part of your virtual WAN deployment. You can configure the IP space, VPN Gateway settings, ExpressRoute Gateway settings, and Azure Firewall settings for this region. Both of the hubs will be peered, with routing for the hubs to the Azure Firewalls being deployed. + - In the **Identity** tab, if you have selected a topology to deploy, you will have the option to deploy an Identity virtual network to the secondary region, peered to the hub in that region. + +### April 2024 + +#### Tooling + +- Add additional, optional, telemetry to help the ALZ team identify styles of deployments. + +### March 2024 + +#### Documentation + +- Added new AMA Policies and Initiatives to [ALZ Policies](./ALZ-Policies) documentation. +- Updated [community call wiki page](https://aka.ms/alz/community) with links for March 2024 recording and slides. + +#### Tooling + +- Add new Regulatory Compliance Policy Assignment flexibility feature +- Added ARM template to enable Microsoft Defender for Cloud as part of the deployment. Policies will still remediate additional subscriptions added to ALZ after deployment. +- Resolved an issue that prevented the policy remediation from working properly for VM Insights, Change Tracking, Azure Update Manager policies. The root cause was a too restrictive access configuration for the Managed Identity that performs the remediation tasks. + - **New deployments will now:** + - Add an additional role assignment for VMInsights Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group. + - Add an additional role assignment for ChangeTracking Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group. + - Add an additional role assignment to Azure Update Manger Policies, granting Managed Identity Operator at the same scope as the assignment. + - **To update an existing deployment:** + - This script [Set-RBACAmaPolicyAssignment.ps1](https://github.com/Azure/Enterprise-Scale/blob/main/src/scripts/Set-RBACAmaPolicyAssignment.ps1) will update the required role assignments. The `enterpriseScaleCompanyPrefix` parameter is required for running the script and should contain the intermediate root management group name. + + ```powershell + .\Set-RBACAmaPolicyAssignment.ps1 -enterpriseScaleCompanyPrefix contoso + ``` + +### February 2024 + +#### Tooling + +- Disabled a Policy in the Microsoft Defender for SQL initiative. As it is not required at this stage. See [ALZ AMA FAQ](./ALZ-AMA-FAQ) for more details. +- Changed enforcementMode of the assignment of Policy "Deploy-UserAssignedManagedIdentity-VMInsights" to Default. This is to ensure that a Resource Group and a User Assigned Managed Identity are created on new subscriptions (subscriptions that are added after the initial deployment). +- Bug fix for Portal Accelerator. userAssignedIdentityResourceGroup has been added as output for the Portal UI, this fixes deploying the Resource Group with a custom name. +- Bug fix for Portal Accelerator. `subscriptionIds` now uses lambda function to obtain the subscription IDs from `corpConnectedLzSubscriptionId`. This fixes the Invalid Template error when selecting a corp connected landing zone deployment. +- Bug fix for Portal Accelerator. `connectivitySubscriptionId` is now skipped when no networking components are deployed. This fixes an InvalidTemplateDeployment error deploying the Resource Group for UAMI. +- From Portal Accelerator: removed the options to select VM vulnerability assessment provider and to select Defender for Cloud for DNS. These are now default to the recommended settings. + +### AMA Update for the Portal Accelerator + +The Azure Monitor Agent (AMA) is the new way to collect and send data to Azure Monitor. The Log Analytics agent, or the Microsoft Monitoring Agent (MMA), will no longer be supported after August 2024. To adapt to this change, the ALZ Portal Accelerator has been updated to use AMA instead of MMA. + +This update currently applies to Greenfield Portal Deployment Scenarios. Brownfield guidance as well as Bicep and Terraform updates to follow in short-term. + +We are happy to announce that we have added a new section in the documentation for AMA. Please visit [ALZ AMA Update](./ALZ-AMA-Update) for a detailed overview of the changes made to the ARM templates and Policies, as well as the deprecated policy assignments. + +> **IMPORTANT** We've added an ALZ AMA FAQ with important information about key changes in AMA. Please read the [ALZ AMA FAQ](./ALZ-AMA-FAQ) for more information. + +### 🔃 Policy Refresh Q2 FY24 + +Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some very important initiatives that we feel had to make it into this refresh. + +#### Policy + +> **IMPORTANT** We've updated the ALZ Policy FAQ with important information about the new Diagnostic Settings v2 policies and initiatives that are will be landing soon. Please read the [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) for more information. + +- Added built-in policy to Deploy-MDFC-Config initiative and default assignment to [Setup subscriptions to transition to an alternative vulnerability assessment solution](https://www.azadvertizer.net/azpolicyadvertizer/766e621d-ba95-4e43-a6f2-e945db3d7888.html). This policy will enable the Microsoft Defender for Endpoint Threat Vulnerability solution on all virtual machines in all subscriptions, which is free to all Azure subscribers. This is implemented as the Qualys based solution is retiring on 1 May, 2024. For more information, please see the [Microsoft Defender for Cloud documentation](https://docs.microsoft.com/en-us/azure/defender-for-cloud/how-to-transition-to-built-in). + - VM vulnerability scanning will be enabled by default at subscription level as there is no cost and it is best practice. + +> **IMPORTANT** Take special note of additional steps, in the docs page listed above, that are required to offboard the legacy Qualys solution from your environment. + +- 🎉 Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode. +- Added new default assignment at the Intermediate Root Management Group for [Resource Group and Resource locations should match](https://www.azadvertizer.net/azpolicyadvertizer/0a914e76-4921-4c19-b460-a2d36003525a.html), which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience. +- We are deprecating MariaDB custom policies. For more information: [ALZ Policies FAQ](./ALZ-Policies-FAQ) +- Fixed a typo in the Private DNS Zones initiative for the policy definition IDs for Databrics (corrected to Databricks). While not a breaking change, it is recommended to redeploy the initiative to ensure the correct policy definition IDs are used if you are using Private DNS Zones for Databricks - specifically if you have configured any exclusions or overrides for the Databricks policy definitions, as these rely on the policy definition ID (which has been updated). You will need to recreate the exclusions or overrides for Databricks if you choose not to redeploy the initiative. +- Added ['Container Apps environment should disable public network access'](https://www.azadvertizer.net/azpolicyadvertizer/d074ddf8-01a5-4b5e-a2b8-964aed452c0a.html) to ['Deny-PublicPaaSEndpoints'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html) +- Added ['Container Apps should only be accessible over HTTPS'](https://www.azadvertizer.net/azpolicyadvertizer/0e80e269-43a4-4ae9-b5bc-178126b8a5cb.html) to this ['Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) + +### January 2024 + +#### Tooling + +- Bug fix for Portal Accelerator, removing region restrictions for VPN Gateways when deploying regional (not AZ). +- Bug fix for Portal Accelerator deployment when deploying using a single platform subscription. Previously, a single tenant deployment would have three failed deployments for diagnostic settings which were looking for non-existent management groups (Management, Identity and Connectivity). This has been fixed and the deployment will now succeed. +- Added drop down selection option for Azure Private Link Private DNS Zones as part of portal based ALZ deployment experience where you can select to deploy or not to deploy a subset of Private Link Private DNS zones. +- Updated ALZ policy testing framework on pull request to only test new or changed policies, drastically speeding up the testing process. + +#### Documentation + +- Updated broken links in [Deploying ALZ ZT Network](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-ZTNetwork#azure-landing-zone-portal-accelerator-deployment-with-zero-trust-network-principles) +- Added wiki document for recommended Resource Providers to register for Subscriptions in ALZ [ALZ Azure Resource Provider Recommendations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Resource-Provider-Recommendations) + + +### December 2023 + +#### Tooling + +- Added a new policy/initiative submission form template for GitHub Issues. This will help us to better understand the policy/initiative you are submitting and will help us to review and approve the submission faster. Please use this template when submitting new policies/initiatives to the ALZ GitHub Issues page. + +#### Docs + +- Added new section to the ALZ Wiki FAQ to provide guidance around Private DNS Zone/Privatelink issues - [read here](ALZ-Policies-FAQ.md#private-dns-zone-issues). + +#### Other + +- December 6th External Community Call recording and slides published to [aka.ms/alz/community](https://aka.ms/alz/community) + +### November 2023 + +#### Tooling + +- Added virtual hub routing preference support to Portal Accelerator for scenarios where you need to influence routing decisions in virtual hub router towards on-premises. For existing ALZ customers please visit [Configure virtual hub routing preference](https://learn.microsoft.com/azure/virtual-wan/howto-virtual-hub-routing-preference) for details on how to configure virtual hub routing preference settings. +- Added virtual hub capacity option to Portal Accelerator which provides an option to select the number of routing infrastructure units. Please visit [Virtual hub capacity](https://learn.microsoft.com/azure/virtual-wan/hub-settings#capacity) for more details on Azure vWAN Virtual Hub Capacity configuration. +- Fixed a bug in the portal accelerator experience when deploying with single platform subscription and selecting virtual WAN networking topology - Invalid Template error. +- Updated the ALZ Portal Accelerator and default assignments for Microsoft Defender for Cloud (MDFC) VM Vulnerability Assessment provider to default to use the PG recommended Microsoft Defender for Endpoint Threat/Vulnerability Management (mdeTVM) provider, instead of the Qualys provider. + +#### Docs + +- Fixed in ALZ Azure Setup the bash command to assign at root scope _Owner_ role to a Service Principal. +- Added a new section to describe ALZ Policy Testing Framework for ALZ custom policies [Policies Testing Framework](./ALZ-Policies-Testing). + +### October 2023 + +#### Policy + +- Added ['Container Apps environment should disable public network access'](https://www.azadvertizer.net/azpolicyadvertizer/d074ddf8-01a5-4b5e-a2b8-964aed452c0a.html) to ['Deny-PublicPaaSEndpoints'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html) +- Added ['Container Apps should only be accessible over HTTPS'](https://www.azadvertizer.net/azpolicyadvertizer/0e80e269-43a4-4ae9-b5bc-178126b8a5cb.html) to this ['Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) +- The portal accelerator experience has been updated to include deployment of Azure Monitor baseline alerts. Details on the policies deployed can be found [here](https://aka.ms/amba/alz). +- Fixed issue with couple of Policy file names to align with the actual name of the policies +- Bug fix for [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) version +- Add support to deploy ALZ Portal Accelerator into new Italy North region + +#### Tooling + +- Fixed a bug in the portal accelerator experience when deploying a VPN Gateway and Azure Firewall (Basic SKU) - IP address overlap error. +- Added vWAN Hub Routing Intent support to Portal Accelerator for scenarios that include Azure Firewall deployment. For existing ALZ customers please visit [How to configure Virtual WAN Hub routing intent and routing policies](https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies) for details on how to add routing intent to your environment. +- Enhanced the ALZ Portal Accelerator to provide the ability to deploy the Azure VPN Gateway in Active/Active mode as per feedback from [#655](https://github.com/Azure/Enterprise-Scale/issues/655). + +#### Docs + +- Updated the ALZ Wiki FAQ to include a section on why we've enabled GitHub Releases - [read here](https://github.com/Azure/Enterprise-Scale/wiki/FAQ#what-is-the-impact-of-github-releases-and-alz). +- Updated the ALZ Wiki FAQ to include a section on why some solutions may not deploy in an ALZ governed environment and how to work around it. + +### September 2023 + +#### Policy + +- Updated to the new [Configure Microsoft Defender for Storage to be enabled](https://www.azadvertizer.com/azpolicyadvertizer/cfdc5972-75b3-4418-8ae1-7f5c36839390.html) built-in policy to the `Deploy-MDFC-Config` initiative and assignment. + - Read more about the new Microsoft Defender for Storage here: [aka.ms//DefenderForStorage](https://aka.ms//DefenderForStorage). + - NOTE: there are additional cost considerations associated with this feature - [more info](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction#malware-scanning-powered-by-microsoft-defender-antivirus). +- Added two new definitions with Deny Action feature: + - `DenyAction-ActivityLogSettings.json` + - `DenyAction-DiagnosticSettings.json` +- Bug fix for missing diagnostic settings category for policy `Deploy-Diagnostics-CosmosDB` +- Added the [Configure Azure Databricks workspace to use private DNS zones](https://www.azadvertizer.com/azpolicyadvertizer/0eddd7f3-3d9b-4927-a07a-806e8ac9486c.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. + +> **Important:** For existing ALZ deployments, you will need to redeploy the below assignments with least privilege RBAC roles, and review and remove existing service principals `Owner` role assignments. The below list includes the scope that needs to be reviewed. For new deployments, the below assignments will be deployed with least privilege RBAC roles. + +![Where to find RBAC roles to cleanup](media/WN-RBACCleanup.png) + +- Remediating default policy/initiative assignments using `Owner` role to be least privilege where possible. Updated assignments: + - Deploy-AzActivity-Log (Management Group: Intermediate Root) + - Deploy-AKS-Policy (added additional required role) + - Deploy-Resource-Diag (Management Group: Intermediate Root) + - Deploy-SQL-TDE (Management Group: Landing Zone) + - Deploy-VM-Backup (Management Group: Landing Zone) + - Deploy-VM-Monitoring (Management Group: Intermediate Root) + - Deploy-VMSS-Monitoring (Management Group: Intermediate Root) + +#### Other + +- [Azure Landing Zone External Community Call - September 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#25th-september-2023-25092023) + +### August 2023 + +#### Policy + +- Updating custom policies using over permissive roles (Owner) to use resource scoped roles (e.g., Storage Account Contributor, Azure SQL Contributor, etc.): + - Deploy-Storage-sslEnforcement + - Deploy-SqlMi-minTLS + - Added evaluationDelay as provisioning takes around 4 hours and policy remediation fails on create due to time outs (as it normally triggers after 10 minutes). + - Deploy-SQL-minTLS + - Deploy-MySQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available) + - Deploy-PostgreSQL-sslEnforcement (changed from Owner to Contributor role, no built in roles currently available) +- Updated to the new [Configure Microsoft Defender for Storage to be enabled](https://www.azadvertizer.com/azpolicyadvertizer/cfdc5972-75b3-4418-8ae1-7f5c36839390.html) built-in policy to the `Deploy-MDFC-Config` initiative and assignment. + - Read more about the new Microsoft Defender for Storage here: [aka.ms//DefenderForStorage](https://aka.ms//DefenderForStorage). + - NOTE: there are additional cost considerations associated with this feature - [more info](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction#malware-scanning-powered-by-microsoft-defender-antivirus). + +#### Other + +- Renamed Azure Active Directory to Microsoft Entra ID + +### July 2023 + +Major update in this release: introducing the Policy Testing Framework foundation, along with tests for all assigned infrastructure policies that use the DENY effect. This will allow us to test the policies in a more automated fashion, and will help us to ensure that we don't introduce any regressions in the future and maintain a higher level of quality for our policies. We will be adding additional tests for custom policies in the future. + +#### Policy + +- Added additional initiative assignment for [Enforce-Guardrails-KeyVault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html) to the Platform Management Group to improve security coverage. Initially this assignment was only applied to the Landing Zone Management Group. + - Update Portal RI to include the new assignment option for the Key Vault initiative under Platform Management. +- Added new custom policy to audit Virtual Machines not using Azure Hybrid Benefit (Audit-AzureHybridBenefit) +- Fixing bug in [Deploy-Sql-vulnerabilityAssessments](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) to achieve compliance if successfully remediated. NOTE: Due to the need to change parameters, this is a breaking change. The original policy will remain in place but will be deprecated and a new policy will be deployed for the fix [Deploy-Sql-vulnerabilityAssessments_20230706](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) - please update assignments accordingly - many thanks @Matt-FFFFFF. +- Bug fix for [Management port access from the Internet should be blocked](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html) not enforcing deny effect when a deployment includes rules defined in network security group properties (i.e., when specifying rules when creating the NSG) - many thanks to @DavidRobson. +- QoL updates: adding supersededBy metadata and adding links in the description to deprecated custom policies to point to the superseding policy - aligned with ALZ specific feature updates in [AzAdvertizer](https://www.azadvertizer.net/). +- Policy Testing Framework implemented for custom ALZ DENY policies (See Tooling section below). + +#### Tooling + +- Enhanced the Azure Firewall Basic experience in the ALZ Portal Accelerator based on feedback from [#1370](https://github.com/Azure/Enterprise-Scale/issues/1370) by removing the DNS proxy option when selecting the `Basic` SKU +- Updated Sentinel deployment to use new [simplified pricing tier](https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier?tabs=azure-resource-manager) +- Established a Policy Testing Framework based on Pester, built on the work done by @fawohlsc in this repo [azure-policy-testing](https://github.com/fawohlsc/azure-policy-testing) + +#### Docs + +- Updated contribution guide to include a new section to describe how to implement tooltips when adding new policies with default assignments that require updates to the portal reference implementation. +- Adding text to the ALZ-Policies wiki page to clarify that we do use preview policies as part of initiatives in some default assignments. + +### June 2023 + +#### Policy + +- Fixed default assignment for SQLEncryption (DINE-SQLEncryptionPolicyAssignment) to use the correct policy definition. +- Added new default assignment for SQLThreatDetection (DINE-SQLThreatPolicyAssignment) to use the previous policy definition from DINE-SQLEncryptionPolicyAssignment. +- Updated the assignment DINE-LogAnalyticsPolicyAssignment (Deploy-Log-Analytics) to default enforcement mode to "DoNotEnforce". The Log Analytics workspace is deployed directly by the reference implementations, and as a result this policy is no longer required to deploy the Log Analytics workspace. Retaining the assignment for auditing purposes. +- Added new custom policies for (many thanks @jeetgarg): + - Storage Accounts with custom domains assigned should be denied - [Deny-StorageAccount-CustomDomain](https://www.azadvertizer.net/azpolicyadvertizer/Deny-StorageAccount-CustomDomain.html) + - File Services with insecure Kerberos ticket encryption should be denied - [Deny-FileServices-InsecureKerberos](https://www.azadvertizer.net/azpolicyadvertizer/Deny-FileServices-InsecureKerberos.html) + - File Services with insecure SMB channel encryption should be denied - [Deny-FileServices-InsecureSMBChannel](https://www.azadvertizer.net/azpolicyadvertizer/Deny-FileServices-InsecureSMBChannel.html) + - File Services with insecure SMB versions should be denied - [Deny-FileServices-InsecureSMBVersions](https://www.azadvertizer.net/azpolicyadvertizer/Deny-FileServices-InsecureSMBVersions.html) + - File Services with insecure authentication methods should be denied - [Deny-FileServices-InsecureAuth](https://www.azadvertizer.net/azpolicyadvertizer/Deny-FileServices-InsecureAuth.html) + - 'User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied' + - 'Storage Accounts with SFTP enabled should be denied' + - 'Subnets without Private Endpoint Network Policies enabled should be denied' + +#### Tooling + +- Updated Portal Accelerator tooltips to provide more relevance and links to associated policies or initiatives. + +#### Other + +- When the option to deploy Log Analytics workspace and enable monitoring is enabled (Yes) in the Platform management, security, and governance section, Diagnostic Settings for Management Groups are also deployed. + +### May 2023 + +#### Policy + +- Updated `Deploy-Diagnostics-APIMgmt.json` to support resource-specific destination table in the diagnostic setting for API Management. +- Updated `Deploy-Diagnostics-LogAnalytics.json` policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for API Management. +- Updated `Deploy-Diagnostics-Firewall.json` to support resource-specific destination table in the diagnostic setting for Firewall +- Updated `Deploy-Diagnostics-LogAnalytics.json` policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for Firewall +- Updated `Deploy-Diagnostics-APIMgmt.json` to support resource-specific destination table in the diagnostic setting for API Management +- Updated `Deploy-Diagnostics-LogAnalytics.json` policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for API Management +- Bug fix for `effect` for the Key Vault setting (incorrect case) in `Deploy-MDFC-Config.json` initiative. +- Bug fix for [Management port access from the Internet should be blocked](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html) when a destination port array is submitted that contains port ranges that includes a denied port (22, 3389, and any others) when creating new NSG rules. +- Bug fix for [AppService append sites with minimum TLS version to enforce.](https://www.azadvertizer.net/azpolicyadvertizer/Append-AppService-latestTLS.html) where the policy was preventing the creation of connection strings via API. The fix revises the policy rule logic to address the blocking issue. +- Fixed minor grammatical errors in two policy assignments. +- Deprecated policy [`Deny-MachineLearning-PublicNetworkAccess`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MachineLearning-PublicNetworkAccess.html). +- Update initiative [`Deny-PublicPaaSEndpoints`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html) to replace deprecated policy `Deny-MachineLearning-PublicNetworkAccess` with builtin [`438c38d2-3772-465a-a9cc-7a6666a275ce`](https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html). +- Deprecated policy [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html). +- Update initiative [`Deny-PublicPaaSEndpoints`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html) to replace deprecated policy `Deny-PublicEndpoint-MariaDB` with builtin [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) - special note: US Gov/Fairfax still uses the now deprecated policy as the builtin is not yet available. +- Standardized denied network resources in policy assignments for Corp and Sandbox management groups as per GH #1333. +- Added non-compliance message to `Enforce-ALZ-Sandbox` initiative assignment. + +#### Docs + +- Updated wiki deployment guides for the four main scenarios to include the new Decommissioned and Sandbox step in the portal accelerator. +- Updated ALZ Policies wiki to make the link to the Excel spreadsheet more prominent. +- Updated ALZ Policies wiki images to reflect policy initiative assignments now included for Decommissioned and Sandbox management groups. +- Updated the ALZ Policy Assignments Excel spreadsheet to include a release version column so users can track when those policies last changed and verified all assignments have a relevant AzAdvertizer link for policy details. +- [Azure Enablement Show: Updating your Azure landing zones](https://www.youtube.com/watch?v=VvZDftlF20w) published +- [Tech Community Blog: Azure Monitor Baseline Alerts (Preview)](https://techcommunity.microsoft.com/t5/azure-governance-and-management/azure-monitor-baseline-alerts-preview/ba-p/3810463) published +- Updated wiki documentation to so reflect the removal of the "Platform DevOps and automation" section from ALZ Portal Accelerator +- Added support for Azure Firewall Basic SKU to Hub & Spoke and Virtual WAN deployments in the ALZ Portal Accelerator +- Updated wiki documentation towards Subscription Vending approach for landing zone (subscription) creation +- A brand new [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) page has been added to the wiki to help answer some of the most common questions and provide some useful tips for working with ALZ policies. +- Updated [ALZ Contribution Guide](./ALZ-Contribution-Guide) to include new section on how to contribute to ALZ policies resulting in breaking changes, and some minor refactoring to make it more readable. + +#### Tooling + +- ALZ Bicep [`v0.14.0`](https://github.com/Azure/ALZ-Bicep/releases/tag/v0.14.0) released + - [ALZ Bicep Accelerator (MVP) launched](https://github.com/Azure/ALZ-Bicep/wiki/Accelerator) +- ALZ Terraform (`caf-enterprise-scale`) [`v4.0.0`](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases/tag/v4.0.0) released +- ALZ Portal Accelerator: "Platform DevOps and automation" section removed + +#### Other + +- Removed resources from `workloads` folder and redirected to Azure Architectures Center page of [Deploy Azure landing zones](https://aka.ms/alz/aac) + +### April 2023 + +We are pleased to announce that we are starting regular Azure Policy reviews for Azure Landing Zone. This includes a review of new built-in policies released and their suitability for ALZ, built-in policies that can replace custom ALZ policies, built-in policies that have been deprecated and addition of new ALZ custom policies and initiatives as identified based on best practices, issues raised and customer feedback. Most importantly, we have also provided default assignments for all the new policies at the appropriate ALZ Management Group level. This will ensure that all new policies are automatically assigned to the appropriate scope and will be in compliance with the ALZ baseline. This will also ensure that the ALZ is always up to date with the latest Azure Policy definitions. + +This update includes many ALZ Azure Policies and Initiatives that have been added or updated to enhance the security, governance, and management of ALZ. As part of our commitment to continuous improvement, we have also enhanced our policy review process, with a focus on transitioning away from deprecated policies where possible, move from custom to built-in policies providing the same or enhanced functionality, and implementing new policies to keep ALZ as part of the current review cycle. We have also implemented non-compliance messages where supported to provide a better user experience when a policy is non-compliant. + +This is the first major review and refresh of Azure Policy since ALZ was GA'd. Since GA many new built-in policies and initiatives have been released which has driven the need for this review. We believe that a regular review cycle will allow us to stay on top of emerging trends and new policies, ensuring that our Azure environment remains secure and compliant. Should you identify policies or initiatives that should be considered for ALZ, kindly submit an [GitHub issue](https://github.com/Azure/Enterprise-Scale/issues). For more information, please refer to the [ALZ Policies](ALZ-Policies.md) or the new [Excel spreadsheet](media/ALZ%20Policy%20Assignments%20v2.xlsx) version. + +We strongly advise staying up-to-date to ensure the best possible security posture for your Azure environment, see [Keep your Azure landing zone up to date](https://aka.ms/alz/update). For those with existing deployments or policies, we have provided [Brownfield guidance](https://aka.ms/alz/brownfield) to help you navigate the process of updating to the latest policies. We recognize that there may be breaking changes when upgrading an existing deployment or policies and for details follow our recently released guidance to support you in this process: + +- [Update Azure landing zone custom policies](https://aka.ms/alz/update/custom) +- [Migrate Azure landing zone policies to Azure built-in policies](https://aka.ms/alz/update/builtin) + +> **Please note** that, in some cases, moving to the new Built-In Policy definitions, deploying changes to existing custom policies or removing deprecated policies will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace, Policy Assignment historic data will be stored here as per the retention duration configured. Thank you for your cooperation, and we look forward to continuing to work with you to ensure the security and compliance of our Azure environment. + +> While we've made every effort to test the stability of this release, should you have any issues and the guidance provided does not resolve your issue, please open a [GitHub issue](https://github.com/Azure/Enterprise-Scale/issues) so we can do our best to support you and document the fix for others. + +#### Policy + +##### Breaking Changes + +Note that a number of initiatives have been updated that will fail to deploy if you have existing deployments. This is due to the fact that the number of parameters and default values have changed, as we've added or removed policies from the initiative. To resolve this, you will need to remove the existing initiative assignments and then redeploy the updated initiative. + +| Initiative Name | Change | Recommended Action | +| --- | --- | --- | +| [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | Removed a deprecated policy, superceding policy is already in the initiative | Remove existing initiative assignment, delete the custom initiative and remove the orphaned identity. Deploy the updated initiative. | + +##### New + +- New Initiative for the Decommissioned landingzones including policies: + - Initiative name: `Enforce-ALZ-Decomm` + - [Allowed resource types](https://www.azadvertizer.net/azpolicyadvertizer/a08ec900-254a-4555-9bf5-e42af04b5c5c.html) - resources are not allowed to be deployed, however, authorization, lock and tag management are permitted. + - New policy to deploy an auto shutdown policy for virtual machines - Deploy-Vm-autoShutdown + - Portal accelerator updated with additional tab and options to enable this initiative. +- New Initiative for the Sandboxes landingzones including policies: + - Initiative name: `Enforce-ALZ-Sanbox` + - [Not allowed resource types](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html) - blocking the deployment of ER/VPN/vWAN + - [Deny vNet peering cross subscription.](https://www.azadvertizer.net/azpolicyadvertizer/Deny-VNET-Peer-Cross-Sub.html) + - Portal accelerator updated with additional tab and options to enable this initiative. +- Added initiative assignment [[Preview]: Deploy Microsoft Defender for Endpoint agent](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e20d08c5-6d64-656d-6465-ce9e37fd0ebc.html) to 'Intermediate Root' Management Group. +- Added assignment of [Network interfaces should not have public IPs](https://www.azadvertizer.net/azpolicyadvertizer/83a86a26-fd1f-447c-b59d-e51f44264114.html) built-in Policy to the 'Corp' Management Group. +- Added new initiative and assignment to implement recommended guardrails for Azure Key Vault at the landing zones management group + - Initiative name: `ENFORCE-Guardrails-KeyVault` + - Policies included: [ALZ Polices](https://aka.ms/alz/policies) + - Portal accelerator updated +- Added two new policy assignments to govern Corp Management Group networking: + - `DENY-HybridNetworking` - blocks the provisioning of vWAN/ER/VPN, including gateways, in Corp + - `AUDIT-PeDnsZones` - audits the provisioning of Private Link Private DNS Zones in Corp + - **NOTE**: The policy default values include all the static Private DNS Zones only. When assigned via the ALZ portal experience the assignment includes all the Private DNS Zones that are deployed as part of the ALZ Portal experience, including the geo code/regional zones for Azure Backup, AKS etc. +- Added new policy assignment to audit WAF enabled on Application Gateways (`Audit-AppGW-WAF`) +- Added new initiative and assignment to enable Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines (`Enforce-ACSB`) +- Added new Diagnostic setting category for Host Pools Diagnostic Settings to `Deploy-Diagnostics-WVDHostPools` + - `ConnectionGraphicsData` +- Added new Diagnostic setting category for EventGrid Topics Diagnostic Settings to `Deploy-Diagnostics-EventGridTopic` + - `DataPlaneRequests` +- Added two new policy initiative assignments to enable Advanced Threat Detection for databases at intermediate root: + - [Configure Advanced Threat Protection to be enabled on open-source relational databases](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e.html) + - [Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97.html) +- Add new Azure Policy Initiative and assignment [(Audit-UnusedResourcesCostOptimization)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Audit-UnusedResourcesCostOptimization.html), at the intermediate root management group (e.g. `contoso`), to audit unused resources that are driving costs. +- Added new assignment to deny deployment of virtual machines and virtual machine scale sets using unmanaged OS disks. +- Added a policy assignment to deny Classic resources at the `Intermediate Root` management group + +##### Update + +- Removed deprecated policy [[Deprecated]: Latest TLS version should be used in your API App (azadvertizer.net)](https://www.azadvertizer.net/azpolicyadvertizer/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e.html) from initiative [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) as recommended policy is already included in the initiative. + - **BREAKING CHANGE** (parameters changed): + - Delete assignment [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html). + - Delete custom initiative prior to applying updates as parameters have changed, then re-assign. + - Delete orphaned indentity on Landing Zone scope. + - Deploy new initiative on Landing Zone scope. +- Updated initiative [Deny or Audit resources without Encryption with a customer-managed key (CMK) (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html) deprecated policy [[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/0d134df8-db83-46fb-ad72-fe0c9428c8dd.html) to new policy [Azure Policy definition SQL servers should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/0a370ff3-6cab-4e85-8995-295fd854c5b8.html) +- Updated initiative and assignment [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) to include the new policies: + - [[Preview]: Configure Microsoft Defender for APIs should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6.html) + - [Configure Microsoft Defender CSPM to be enabled](https://www.azadvertizer.net/azpolicyadvertizer/689f7782-ef2c-4270-a6d0-7664869076bd.html) + - [Configure machines to receive a vulnerability assessment provider](https://www.azadvertizer.net/azpolicyadvertizer/13ce0167-8ca6-4048-8e6b-f996402e3c1b.html) + - [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) + - [Configure Azure Kubernetes Service clusters to enable Defender profile](https://www.azadvertizer.net/azpolicyadvertizer/64def556-fbad-4622-930e-72d1d5589bf5.html) +- Replaced policy assignment "Auditing on SQL server should be enabled" with "Configure SQL servers to have auditing enabled to Log Analytics workspace" on `Landing Zones` Management Group, to suitably assign respective DINE policy definition, instead of AINE +- Deprecated `Deny-RDP-From-Internet` and added new policy `Deny-MgmtPorts-From-Internet` which is more flexible and blocks port 22 and 3389 by default +- Updated the initiative `Deny-PublicPaaSEndpoints` to include additional policies available to block public access for PaaS services + - Updated [storage](https://www.azadvertizer.net/azpolicyadvertizer/b2982f36-99f2-4db5-8eff-283140c09693.html) and [Key Vault](https://www.azadvertizer.net/azpolicyadvertizer/405c5871-3e91-4644-8a63-58e19d68ff5b.html) to use new policies using the `/publicNetworkAccess` alias +- Added new policy to initiative that enables diagnostic settings for VWAN S2S and added as part of diagnostic settings policy initiative. +- Updated ALZ Policies wiki: + - Removed the "Version" column to improve readability. + - Added the option to download an Excel file with all the policy/initiative assignments. +- Update ALZ Policies wiki: Excel file with all the policy/initiative assignments. +- Renamed Policies from `WVD` to `AVD` - Display names and Descriptions only +- Update the `Deploy SQL Database built-in SQL security configuration` initiative to point to the built-in policy [Deploy SQL DB transparent data encryption](https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html) instead of the deprecated custom policy `Deploy SQL Database built-in SQL security configuration`. +- Update policy [Append-Redis-disableNonSslPort](https://www.azadvertizer.net/azpolicyadvertizer/Append-Redis-disableNonSslPort.html): remove not applicable 'modify' effect. +- Update ALZ Policies Wiki to include guidance around the use of managed identities with the ALZ Policy Initiative. + +##### Retire + +- Deprecated the custom ALZ policy `Deploy SQL Database Transparent Data Encryption` as there is now a built-in policy available in Azure Policy [Deploy SQL DB transparent data encryption](https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html). +- No longer assign Databricks custom policies at `Corp` management group scope. Policies: + - Deny-Databricks-NoPublicIp + - Deny-Databricks-Sku + - Deny-Databricks-VirtualNetwork + +> If you are not using these policies, we advise you remove the assignment at `Corp` management group level, if you are not utilizing them. + +#### Portal Accelerator + +- FIX: Updated the Fairfax (US Gov) portal accelerator experience so it now works as expected. +- Service Map solution has been removed as an option to be deployed, as this has been superseded by VM Insights, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) Guidance on migrating and removing the Service Map solution can be found [here.](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-migrate-from-service-map) + +#### Other + +- [Azure Landing Zone External Community Call - April 2023 - Hosted & Published](https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#27th-april-2023-27042023) + ### March 2023 #### Docs - Added new question and answer to FAQ for ["Why hasn't Azure landing zones migrated to the Azure Monitor Agent yet?"](https://github.com/Azure/Enterprise-Scale/wiki/FAQ#why-hasnt-azure-landing-zones-migrated-to-the-azure-monitor-agent-yet) -- Published new CAF docs for Azure landing zones and multiple Azure Active Directory tenants - [aka.ms/ALZ/MultiTenant](https://aka.ms/ALZ/MultiTenant) +- Published new CAF docs for Azure landing zones and multiple Microsoft Entra tenants - [aka.ms/ALZ/MultiTenant](https://aka.ms/ALZ/MultiTenant) #### Tooling @@ -93,20 +620,21 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: #### Docs - Migrated the following pages to the [Enterprise-Scale Wiki](https://github.com/Azure/Enterprise-Scale/wiki/) - - | Original URL | New URL | - | --- | --- | - | [docs/ESLZ-Policies.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) | [wiki/ALZ-Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) | - | [docs/EnterpriseScale-Architecture.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Architecture.md) | [wiki/ALZ-Architecture](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Architecture) | - | [docs/EnterpriseScale-Contribution.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Contribution.md) | [wiki/ALZ-Contribution](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Contribution) | - | [docs/EnterpriseScale-Deploy-landing-zones.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-landing-zones.md) | [wiki/ALZ-Deploy-landing-zones](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-landing-zones) | - | [docs/EnterpriseScale-Deploy-reference-implentations.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-reference-implentations.md) | [wiki/ALZ-Deploy-reference-implementations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-reference-implementations) | - | [docs/EnterpriseScale-Deploy-workloads.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-workloads.md) | [wiki/ALZ-Deploy-workloads](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-workloads) | - | [docs/EnterpriseScale-Known-Issues.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Known-Issues.md) | [wiki/ALZ-Known-Issues](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Known-Issues) | - | [docs/EnterpriseScale-Roadmap.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Roadmap.md) | [wiki/ALZ-Roadmap](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Roadmap) | - | [docs/EnterpriseScale-Setup-aad-permissions.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-aad-permissions.md) | [wiki/ALZ-Setup-aad-permissions](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) | - | [docs/EnterpriseScale-Setup-azure.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md) | [wiki/ALZ-Setup-azure](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure) | - + +| Original URL | New URL | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | +| [docs/ESLZ-Policies.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) | [wiki/ALZ-Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) | +| [docs/EnterpriseScale-Architecture.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Architecture.md) | [wiki/ALZ-Architecture](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Architecture) | +| [docs/EnterpriseScale-Contribution.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Contribution.md) | [wiki/ALZ-Contribution](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Contribution) | +| [docs/EnterpriseScale-Deploy-landing-zones.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-landing-zones.md) | [wiki/ALZ-Deploy-landing-zones](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-landing-zones) | +| [docs/EnterpriseScale-Deploy-reference-implentations.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-reference-implentations.md) | [wiki/ALZ-Deploy-reference-implementations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-reference-implementations) | +| [docs/EnterpriseScale-Deploy-workloads.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-workloads.md) | [wiki/ALZ-Deploy-workloads](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-workloads) | +| [docs/EnterpriseScale-Known-Issues.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Known-Issues.md) | [wiki/ALZ-Known-Issues](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Known-Issues) | +| [docs/EnterpriseScale-Roadmap.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Roadmap.md) | [wiki/ALZ-Roadmap](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Roadmap) | +| [docs/EnterpriseScale-Setup-aad-permissions.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-aad-permissions.md) | [wiki/ALZ-Setup-aad-permissions](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) | +| [docs/EnterpriseScale-Setup-azure.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md) | [wiki/ALZ-Setup-azure](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure) | + + - Updated the guidance for contributing to the [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale/) repository #### Tooling @@ -117,7 +645,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated "**Deploy Diagnostic Settings to Azure Services**" initiative replacing deprecated policy for diagnostic settings on Storage Account - Removed all exclusions (parameters) from the Microsoft Cloud Security Benchmark (currently Azure Security Benchmark) initiative assignment to standardize across reference architectures and align with best practice. -Impacted assignment: Deploy-ASC-Monitoring + Impacted assignment: Deploy-ASC-Monitoring - Updated "**Deploy Diagnostic Settings for Data Factory to Log Analytics workspace" to include new categories of: `SandboxPipelineRuns` & `SandboxActivityRuns` - Add missing `minimalSeverity` parameter to `Deploy-ASC-SecurityContacts` Policy Definition @@ -134,7 +662,7 @@ Impacted assignment: Deploy-ASC-Monitoring - Included documentation on how to [Migrate ALZ custom policies to Azure builtin policies](migrate-alz-policies-to-builtin.md) to the Wiki. - Added links to the superseding policies on the [ALZ Deprecated Services](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deprecated-Services#deprecated-policies) page. - Renamed Azure Security Benchmark references to [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/security/benchmark/azure/introduction). - + #### Tooling - Updated ALZ Portal Accelerator to support all available Availability Zones as listed [here](https://learn.microsoft.com/azure/reliability/availability-zones-service-support#azure-regions-with-availability-zone-support) @@ -144,16 +672,20 @@ Impacted assignment: Deploy-ASC-Monitoring - "**Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace**" definition added and also added to `Deploy-Diagnostics-LogAnalytics` initiative - "**Deploy Diagnostic Settings for Databricks to Log Analytics workspace**" definition update + - Version 1.1.0 -> 1.2.0 - Added missing log categories - "**Deploy SQL Database security Alert Policies configuration with email admin accounts**" definition update + - Version 1.0.0 -> 1.1.1 - Changed email addresses from hardcoding to array parameter - "**Deploy SQL Database Transparent Data Encryption**" definition update + - Version 1.0.0 -> 1.1.0 - Added system databases master, model, tempdb, msdb, resource to exclusion parameter as default values - Added as Policy Rule 'notIn' which will exclude the above databases from the policy - Updated "**Deploy-Private-DNS-Zones**" Custom initiative for **Azure Public Cloud**, with latest built-in Policies. Policies were added for the following Services: + - Azure Automation - Azure Cosmos DB (all APIs: SQL, MongoDB, Cassandra, Gremlin, Table) - Azure Data Factory @@ -164,6 +696,7 @@ Impacted assignment: Deploy-ASC-Monitoring - Azure Media Services - Azure Monitor - Minor fixes related to "**Deploy-Private-DNS-Zones**" Custom Initiative and respective Assignment: + - Added missing Zones for **"WebPubSub"** and **"azure-devices-provisioning"**, so Initiative Assignment works correctly - Minor correction related to **ASR Private DNS Zone variable**, so Initiative Assignment works correctly - Conversion of **"Azure Batch"** Private DNS Zone (from regional to global), to properly align with latest respective documentation and functionality @@ -172,29 +705,32 @@ Impacted assignment: Deploy-ASC-Monitoring - Added `Configure Microsoft Defender for Azure Cosmos DB to be enabled` to the `Deploy Microsoft Defender for Cloud configuration` initiative and updated version to `3.1.0` - Fixing issue [issue #1081](https://github.com/Azure/Enterprise-Scale/issues/1081) - Added `AZFWFlowTrace` category for Azure Firewall in associated Diagnostic Policy - Deprecated the following ALZ policies + - [Deploy-Nsg-FlowLogs](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs.html) - [Deploy-Nsg-FlowLogs-to-LA](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs-to-LA.html) - [Deny-PublicIp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicIP.html) - + in favour of Azure built-in policies with the same or enhanced functionality. - - | ALZ Policy ID(s) | Azure Builti-in Policy ID(s) | - |------------------------------------------------|--------------------------------------| - | Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 | - | Deploy-Nsg-FlowLogs | e920df7f-9a64-4066-9b58-52684c02a091 | - | Deny-PublicIp | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | - + +| ALZ Policy ID(s) | Azure Builti-in Policy ID(s) | +| --------------------------- | -------------------------------------- | +| Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 | +| Deploy-Nsg-FlowLogs | e920df7f-9a64-4066-9b58-52684c02a091 | +| Deny-PublicIp | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | + + - "**"Deploy-ASC-SecurityContacts"**" definition update + - displayName and description update to "Deploy Microsoft Defender for Cloud Security Contacts" - Added new parameter `minimalSeverity` with settings - Default value `High` - Allowed values: `High`, `Medium`, `Low` - - "**"Deploy-MDFC-Config"**" definition update + - Updated policy definitions set Deploy-MDFC-Config, Deploy-MDFC-Config(US Gov), Deploy-MDFC-Config (China) - added new parameter `minimalSeverity`. - added default value for multiple parameters. - + ### Other - *No updates, yet.* @@ -243,7 +779,7 @@ Impacted assignment: Deploy-ASC-Monitoring #### Docs - Updated the Enterprise-scale [Wiki](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/) to reflect the latest updates on Azure landing zone accelerator. - + - [Deploy Azure landing zone portal accelerator](./Deploying-ALZ) - [Deployment guidance for Small Enterprises](./Deploying-ALZ-BasicSetup) - [How to deploy without hybrid connectivity](./Deploying-ALZ-Foundation) @@ -334,7 +870,7 @@ Impacted assignment: Deploy-ASC-Monitoring - Add 2 new categories for Host Pools Diagnostic Settings - `NetworkData` - `SessionHostManagement` -- Added AVD Scaling Plans Diagnostic Settings called `Deploy-Diagnostics-AVDScalingPlans` for Azure Public only - as not supported in Fairfax or Mooncake as per - Fixing issue [issue #962](https://github.com/Azure/Enterprise-Scale/issues/962) +- Added AVD Scaling Plans Diagnostic Settings called `Deploy-Diagnostics-AVDScalingPlans` for Azure Public only - as not supported in Fairfax or Mooncake as per [https://learn.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan](https://docs.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan) - Fixing issue [issue #962](https://github.com/Azure/Enterprise-Scale/issues/962) - Added to `Deploy-Diagnostics-LogAnalytics` Policy Initiative - Added additional log categories to `Deploy-Diagnostics-Firewall` for Azure Firewall Diagnostic Settings Policy - Fixing issue [issue #985](https://github.com/Azure/Enterprise-Scale/issues/985) - Added additional log categories to `Deploy-Diagnostics-APIMgmt` for Azure API Management Diagnostic Settings Policy - Fixing issue [issue #986](https://github.com/Azure/Enterprise-Scale/issues/986) @@ -448,7 +984,7 @@ Impacted assignment: Deploy-ASC-Monitoring - Updated portal experiences for Public and Fairfax | Policy Definition Display Name | Policy Definition ID | Note | -| ----------------------------------------------------------------------------- | ------------------------------------ | ------------------------------------------------------ | +| ------------------------------------------------------------------------------- | -------------------------------------- | -------------------------------------------------------- | | [Deprecated]: Configure Azure Defender for container registries to be enabled | d3d1e68e-49d4-4b56-acff-93cef644b432 | REMOVED - Old ACR policy | | [Deprecated]: Configure Azure Defender for Kubernetes to be enabled | 133047bf-1369-41e3-a3be-74a11ed1395a | REMOVED - Old AKS Policy | | Configure Microsoft Defender for Containers to be enabled | c9ddb292-b203-4738-aead-18e2716e858f | ADDED - New grouped containers policy for the new plan | @@ -478,7 +1014,7 @@ Impacted assignment: Deploy-ASC-Monitoring - The following policy definitions for Microsoft Defender for Cloud configurations are not available as built-in in Azure China. The policy set definition will be updated as when these policy definitions are available: - defenderForOssDb, defenderForSqlServerVirtualMachines, defenderForAppServices, defenderForAppServices, defenderForStorageAccounts, defenderForKeyVaults, defenderForDns, defenderForArm - + ### November 2021 #### Docs @@ -492,11 +1028,10 @@ Impacted assignment: Deploy-ASC-Monitoring ### Policy - Replaced `Deploy-Default-Udr` policy with `Deploy-Custom-Route-Table` that allows deploying custom route tables with an arbitrary set of UDRs (including a 0/0 default route if needed). See [here](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/deploy-policy-driven-routing.md) for usage details. - - Updated `Deploy-Budget` policy, to v1.1.0, adding new parameter of `budgetName` that defaults to: `budget-set-by-policy` - closing issue [#842](https://github.com/Azure/Enterprise-Scale/issues/842) + - Including Fairfax - Also Mooncake (Azure China) even though not in use yet - - Added `AuditEvent` to `Deploy-Diagnostics-AA` Policy Definition to ensure correct compliance reporting on Automation Account used for diagnostics - closing issue [#864](https://github.com/Azure/Enterprise-Scale/issues/864) ### Other @@ -510,7 +1045,7 @@ Impacted assignment: Deploy-ASC-Monitoring #### Docs - Updates to [User Guide](https://github.com/Azure/Enterprise-Scale/wiki) to include instructions for deploying each of the reference implementations. -- Updated Deploying Enterprise Scale wiki page with updated workflow steps. () +- Updated Deploying Enterprise Scale wiki page with updated workflow steps. ([https://github.com/Azure/Enterprise-Scale/pull/827](https://github.com/Azure/Enterprise-Scale/pull/827)) - Updated [implementation FAQ](https://github.com/Azure/Enterprise-Scale/wiki/FAQ) and moved to the Wiki - Added [architecture FAQ](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/faq) to the CAF docs @@ -542,23 +1077,23 @@ Impacted assignment: Deploy-ASC-Monitoring #### Docs -- Added reference to Enterprise-Scale Analytics () -- Added Do-It-Yourself instructions for deploying Enterprise-Scale in Azure China regions () +- Added reference to Enterprise-Scale Analytics ([https://github.com/Azure/Enterprise-Scale/pull/809](https://github.com/Azure/Enterprise-Scale/pull/809)) +- Added Do-It-Yourself instructions for deploying Enterprise-Scale in Azure China regions ([https://github.com/Azure/Enterprise-Scale/pull/802](https://github.com/Azure/Enterprise-Scale/pull/802)) #### Tooling -- Added Option to select Azure Firewall SKU () +- Added Option to select Azure Firewall SKU ([https://github.com/Azure/Enterprise-Scale/pull/793](https://github.com/Azure/Enterprise-Scale/pull/793)) - [AzOps release v1.5.0](https://github.com/Azure/AzOps/releases/tag/1.5.0) -- Enabled support for Enterprise-Scale landing zones deployments to Azure gov () +- Enabled support for Enterprise-Scale landing zones deployments to Azure gov ([https://github.com/Azure/Enterprise-Scale/pull/820](https://github.com/Azure/Enterprise-Scale/pull/820)) ### Policy -| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes | -| :--------------------------------------: | :---------------------------------------------------------------: | :--------------: | :---------------------: | :--------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | -| Deny-Databricks-NoPublicIp | Deny public IPs for Databricks cluster | Databricks | | | | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. | -| Deny-Databricks-Sku | Deny non-premium Databricks sku | Databricks | | | | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. | -| Deny-Databricks-VirtualNetwork | Deny Databricks workspaces without Vnet injection | Databricks | | | | Enforces the use of vnet injection for Databricks workspaces. | -| Deny-MachineLearning-PublicNetworkAccess | Azure Machine Learning should have disabled public network access | Machine Learning | | | | Denies public network access for Azure Machine Learning workspaces. | +| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes | +| :----------------------------------------: | :-----------------------------------------------------------------: | :----------------: | :-----------------------: | :----------------------------: | :-----------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | +| Deny-Databricks-NoPublicIp | Deny public IPs for Databricks cluster | Databricks | | | | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. | +| Deny-Databricks-Sku | Deny non-premium Databricks sku | Databricks | | | | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID. | +| Deny-Databricks-VirtualNetwork | Deny Databricks workspaces without Vnet injection | Databricks | | | | Enforces the use of vnet injection for Databricks workspaces. | +| Deny-MachineLearning-PublicNetworkAccess | Azure Machine Learning should have disabled public network access | Machine Learning | | | | Denies public network access for Azure Machine Learning workspaces. | ### Other @@ -568,9 +1103,9 @@ Impacted assignment: Deploy-ASC-Monitoring #### Docs -- Updated [Enterprise Agreement enrollment and Azure Active Directory tenants](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/enterprise-enrollment-and-azure-ad-tenants) CAF doc +- Updated [Enterprise Agreement enrollment and Microsoft Entra tenants](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/enterprise-enrollment-and-azure-ad-tenants) CAF doc - Added CSP, MCA & other billing offers - - Added information on how an EA relates to Azure AD and ties in with RBAC + - Added information on how an EA relates to Microsoft Entra ID and ties in with RBAC - Lots of updates to the [Terraform Module for Cloud Adoption Framework Enterprise-scale wiki](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki) #### Tooling @@ -580,7 +1115,7 @@ Impacted assignment: Deploy-ASC-Monitoring - [Do-It-Yourself deployment instructions for Enterprise-Scale using Azure PowerShell released](https://github.com/Azure/Enterprise-Scale/tree/main/eslzArm) - Update subscription filter in reference implementation UI experience. Subscriptions with state != "Enabled" will be excluded from the list of available subscriptions. - Removed old codebase for the different reference implementations, and converged to a single [ARM codebase](https://github.com/Azure/Enterprise-Scale/tree/main/eslzArm) -- Improved Network CIDR Range Validation within the Azure Portal experience (). +- Improved Network CIDR Range Validation within the Azure Portal experience ([https://github.com/Azure/Enterprise-Scale/pull/767](https://github.com/Azure/Enterprise-Scale/pull/767)). #### Policy @@ -629,47 +1164,47 @@ Impacted assignment: Deploy-ASC-Monitoring - Various custom ESLZ Azure Policies have moved to Built-In Azure Policies, see below table for more detail: > You may continue to use the ESLZ custom Azure Policy as it will still function as it does today. However, we recommend you move to assigning the new Built-In version of the Azure Policy. -> +> > **Please note** that moving to the new Built-In Policy Definition will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace; Policy Assignment historic data will be stored here as per the retention duration configured. **Policy Definitions Updates** -| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes | -| :----------------------------------------------: | :-----------------------------------------------------------------------------------: | :-------------: | :----------------------------------: | :----------------------------------------------------------------------------------------------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------------------------------: | -| Deny-PublicEndpoint-Aks | Public network access on AKS API should be disabled | Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Kubernetes | | +| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes | +| :------------------------------------------------: | :-------------------------------------------------------------------------------------: | :---------------: | :------------------------------------: | :------------------------------------------------------------------------------------------------------------------: | :-----------------: | :------------------------------------------------------------------------------------------------------------------------------------: | +| Deny-PublicEndpoint-Aks | Public network access on AKS API should be disabled | Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Kubernetes | | | Deny-PublicEndpoint-CosmosDB | Public network access should be disabled for CosmosDB | SQL | 797b37f7-06b8-444c-b1ad-fc62867f335a | Azure Cosmos DB should disable public network access | Cosmos DB | | -| Deny-PublicEndpoint-KeyVault | Public network access should be disabled for KeyVault | Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Azure Key Vault should disable public network access | Key Vault | | -| Deny-PublicEndpoint-MySQL | Public network access should be disabled for MySQL | SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | SQL | | +| Deny-PublicEndpoint-KeyVault | Public network access should be disabled for KeyVault | Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Azure Key Vault should disable public network access | Key Vault | | +| Deny-PublicEndpoint-MySQL | Public network access should be disabled for MySQL | SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | SQL | | | Deny-PublicEndpoint-PostgreSql | Public network access should be disabled for PostgreSql | SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | SQL | | -| Deny-PublicEndpoint-Sql | Public network access on Azure SQL Database should be disabled | SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | SQL | | -| Deny-PublicEndpoint-Storage | Public network access onStorage accounts should be disabled | Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Storage | | -| Deploy-Diagnostics-AKS | Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace | Monitoring | 6c66c325-74c8-42fd-a286-a74b0e2939d | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Kubernetes | | -| Deploy-Diagnostics-Batch | Deploy Diagnostic Settings for Batch to Log Analytics workspace | Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Monitoring | | -| Deploy-Diagnostics-DataLakeStore | Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace | Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Monitoring | | -| Deploy-Diagnostics-EventHub | Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace | Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Monitoring | | -| Deploy-Diagnostics-KeyVault | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | | -| Deploy-Diagnostics-LogicAppsWF | Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace | Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Monitoring | ~~This is currently not assigned as per [#691](https://github.com/Azure/Enterprise-Scale/issues/691)~~ | -| Deploy-Diagnostics-RecoveryVault | Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace | Monitoring | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories | Backup | | -| Deploy-Diagnostics-SearchServices | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | | -| Deploy-Diagnostics-ServiceBus | Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace | Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Monitoring | | -| Deploy-Diagnostics-SQLDBs | Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace | Monitoring | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | SQL | | -| Deploy-Diagnostics-StreamAnalytics | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | | -| Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint | Deploy DNS Zone Group for Storage-Blob Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | -| Deploy-DNSZoneGroup-For-File-PrivateEndpoint | Deploy DNS Zone Group for Storage-File Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | -| Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint | Deploy DNS Zone Group for Key Vault Private Endpoint | Network | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | [Preview]: Configure Azure Key Vaults to use private DNS zones | Key Vault | -| Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint | Deploy DNS Zone Group for Storage-Queue Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | -| Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint | Deploy DNS Zone Group for SQL Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | -| Deploy-DNSZoneGroup-For-Table-PrivateEndpoint | Deploy DNS Zone Group for Storage-Table Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | -| Deploy-LA-Config | Deploy the configurations to the Log Analytics in the subscription | Monitoring | ***Policy Removed*** | ***Policy Removed*** | TBC | This policy has been removed as it is handled as a resource deployment in the ARM templates, portal experience and Terraform module. | -| Deploy-Log-Analytics | Deploy the Log Analytics in the subscription | Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Monitoring | | +| Deny-PublicEndpoint-Sql | Public network access on Azure SQL Database should be disabled | SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | SQL | | +| Deny-PublicEndpoint-Storage | Public network access onStorage accounts should be disabled | Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Storage | | +| Deploy-Diagnostics-AKS | Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace | Monitoring | 6c66c325-74c8-42fd-a286-a74b0e2939d | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Kubernetes | | +| Deploy-Diagnostics-Batch | Deploy Diagnostic Settings for Batch to Log Analytics workspace | Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Monitoring | | +| Deploy-Diagnostics-DataLakeStore | Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace | Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Monitoring | | +| Deploy-Diagnostics-EventHub | Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace | Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Monitoring | | +| Deploy-Diagnostics-KeyVault | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | | +| Deploy-Diagnostics-LogicAppsWF | Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace | Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Monitoring | ~~This is currently not assigned as per [#691](https://github.com/Azure/Enterprise-Scale/issues/691)~~ | +| Deploy-Diagnostics-RecoveryVault | Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace | Monitoring | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories | Backup | | +| Deploy-Diagnostics-SearchServices | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | | +| Deploy-Diagnostics-ServiceBus | Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace | Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Monitoring | | +| Deploy-Diagnostics-SQLDBs | Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace | Monitoring | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | SQL | | +| Deploy-Diagnostics-StreamAnalytics | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | | +| Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint | Deploy DNS Zone Group for Storage-Blob Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | +| Deploy-DNSZoneGroup-For-File-PrivateEndpoint | Deploy DNS Zone Group for Storage-File Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | +| Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint | Deploy DNS Zone Group for Key Vault Private Endpoint | Network | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | [Preview]: Configure Azure Key Vaults to use private DNS zones | Key Vault | | +| Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint | Deploy DNS Zone Group for Storage-Queue Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | +| Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint | Deploy DNS Zone Group for SQL Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | +| Deploy-DNSZoneGroup-For-Table-PrivateEndpoint | Deploy DNS Zone Group for Storage-Table Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! | +| Deploy-LA-Config | Deploy the configurations to the Log Analytics in the subscription | Monitoring | ***Policy Removed*** | ***Policy Removed*** | TBC | This policy has been removed as it is handled as a resource deployment in the ARM templates, portal experience and Terraform module. | +| Deploy-Log-Analytics | Deploy the Log Analytics in the subscription | Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Monitoring | | **Policy Initiatives Updates** -| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | New Policy Name/ID | New Policy Display Name | New Category | Notes | -| :----------------------: | :--------------------------------------------------------: | :-------------: | :-----------------------------: | :--------------------------------------------------------: | :----------: | :-----------------------------------------------------------------------: | +| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | New Policy Name/ID | New Policy Display Name | New Category | Notes | +| :------------------------: | :----------------------------------------------------------: | :---------------: | :-------------------------------: | :----------------------------------------------------------: | :------------: | :-------------------------------------------------------------------------: | | Deploy-Diag-LogAnalytics | Deploy Diagnostic Settings to Azure Services | N/A | Deploy-Diagnostics-LogAnalytics | Deploy Diagnostic Settings to Azure Services | Monitoring | Moved to using a mix of Built-In (as above) and custom policy definitions | -| Deny-PublicEndpoints | Public network access should be disabled for PAAS services | Network | Deny-PublicPaaSEndpoints | Public network access should be disabled for PaaS services | N/A | Moved to using Built-In policy definitions only (as above) | -| ***New Policy*** | ***New Policy*** | N/A | Deploy-Private-DNS-Zones | Configure Azure PaaS services to use private DNS zones | Network | | +| Deny-PublicEndpoints | Public network access should be disabled for PAAS services | Network | Deny-PublicPaaSEndpoints | Public network access should be disabled for PaaS services | N/A | Moved to using Built-In policy definitions only (as above) | +| ***New Policy*** | ***New Policy*** | N/A | Deploy-Private-DNS-Zones | Configure Azure PaaS services to use private DNS zones | Network | | - Moved several of the diagnostics Policies to built-in, and updating the diagnostics Initiative - This means there's a new resource name as update of existing one is not be allowed due to removal of parameters @@ -692,7 +1227,7 @@ Impacted assignment: Deploy-ASC-Monitoring - Updated [pricing section](https://github.com/Azure/Enterprise-Scale/wiki/What-is-Enterprise-Scale#pricing) on "What is Enterprise Scale" wiki page to provide further clarity. - Updated [DNS for on-premises and Azure resources](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-resources) - related to issue [#609](https://github.com/Azure/Enterprise-Scale/issues/609) - Update [Hub & Spoke](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology) guidance related to BGP propagation on UDRs for transit connectivity - to close issue [#618](https://github.com/Azure/Enterprise-Scale/issues/618) -- Added guidance to [Management group and subscription organization - CAF Docs](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization#configure-subscription-tenant-transfer-restrictions) for [Azure Subscription Policies](https://learn.microsoft.com/azure/cost-management-billing/manage/manage-azure-subscription-policy), which allow you to control Azure Subscription Tenant transfers to/from your AAD Tenant. +- Added guidance to [Management group and subscription organization - CAF Docs](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization#configure-subscription-tenant-transfer-restrictions) for [Azure Subscription Policies](https://learn.microsoft.com/azure/cost-management-billing/manage/manage-azure-subscription-policy), which allow you to control Azure Subscription Tenant transfers to/from your Microsoft Entra Tenant. #### Tooling diff --git a/docs/wiki/_Sidebar.md b/docs/wiki/_Sidebar.md index 55683ad6ea..1551cc4325 100644 --- a/docs/wiki/_Sidebar.md +++ b/docs/wiki/_Sidebar.md @@ -17,28 +17,33 @@ * [What happens when you deploy Enterprise-Scale?](./How-Enterprise-Scale-Works#what-happens-when-you-deploy-enterprise-scale) * Deploying Enterprise-Scale * [Pre-requisites](./Deploying-ALZ-Pre-requisites) - * [Configure AAD permissions](./ALZ-Setup-aad-permissions) + * [ALZ Resource Providers Guidance](./ALZ-Resource-Provider-Recommendations) + * [Configure Microsoft Entra permissions](./ALZ-Setup-aad-permissions) * [Configure Azure permissions](./ALZ-Setup-azure) * [Deploy landing zones](./ALZ-Deploy-landing-zones) * [Deploy reference implementations](./ALZ-Deploy-reference-implementations) * [Telemetry Tracking Using Customer Usage Attribution (PID)](./Deploying-ALZ-CustomerUsage) * [Deploy without hybrid connectivity to on-premises](./Deploying-ALZ-Foundation) * [Deploy with a hub and spoke based network topology](./Deploying-ALZ-HubAndSpoke) + * [Deploy with a hub and spoke based network topology with Zero Trust principles](./Deploying-ALZ-ZTNetwork) * [Deploy with an Azure Virtual WAN based network topology](./Deploying-ALZ-VWAN) * [Deploy for Small Enterprises](./Deploying-ALZ-BasicSetup) * [Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions)](./Deploying-ALZ-Platform-DevOps#operating-the-azure-platform-using-azops-infrastructure-as-code-with-github-actions) * [Deploy workloads](./ALZ-Deploy-workloads) -* [Create subscriptions / landing zones using AzOps](./Create-Landingzones) - * [Create landing zones (subscription) using AzOps](./Create-Landingzones#create-landing-zones-subscription-using-azops) - * [Pre-requisites](./Create-Landingzones#pre-requisites) - * [Enable Service Principal to create landing zones](./Create-Landingzones#enable-service-principal-to-create-landing-zones) - * [ARM template repository](./Create-Landingzones#arm-template-repository) - * [Create a new landing zone (subscriptions)](./Create-Landingzones#create-a-new-landing-zone-subscriptions) +* [Create landing zones (subscriptions) via Subscription Vending](./Create-Landingzones) * [Azure Landing Zones Deprecated Services](./ALZ-Deprecated-Services) * Azure Landing Zone (ALZ) Policies * [Policies included in Azure landing zones reference implementations](./ALZ-Policies) + * [Policies included but not assigned by default and Workload Specific Compliance initiatives](./ALZ-Policies-Extra) + * [Policies FAQ & Tips](./ALZ-Policies-FAQ) + * [Policies Testing Framework](./ALZ-Policies-Testing) * [Migrate Azure landing zones custom policies to Azure built-in policies](./Migrate-ALZ-Policies-to-Built%E2%80%90in) * [Updating Azure landing zones custom policies to latest](./Update-ALZ-Custom-Policies-to-Latest) +* MMA Deprecation Guidance + * [Azure Monitor Agent Update](./ALZ-AMA-Update) + * [AMA Migration Guidance](./ALZ-AMA-Migration-Guidance) + * [PowerShell script](./ALZ-AMA-PowerShell-Script) + * [AMA FAQ](./ALZ-AMA-FAQ) * [Contributing](./ALZ-Contribution-Guide) * [Reporting Bugs](./ALZ-Contribution-Guide#reporting-bugs) * [Feature Requests](./ALZ-Contribution-Guide#feature-requests) diff --git a/docs/wiki/media/1.1.update-alz-custom-policy-def-search.png b/docs/wiki/media/1.1.update-alz-custom-policy-def-search.png index 722fcafa27..b91ebb9222 100644 Binary files a/docs/wiki/media/1.1.update-alz-custom-policy-def-search.png and b/docs/wiki/media/1.1.update-alz-custom-policy-def-search.png differ diff --git a/docs/wiki/media/1.2.update-alz-custom-policy-def-name.png b/docs/wiki/media/1.2.update-alz-custom-policy-def-name.png index aa26f451b8..a227fc8e82 100644 Binary files a/docs/wiki/media/1.2.update-alz-custom-policy-def-name.png and b/docs/wiki/media/1.2.update-alz-custom-policy-def-name.png differ diff --git a/docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png b/docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png index 12056133e9..964cfee1c5 100644 Binary files a/docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png and b/docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png differ diff --git a/docs/wiki/media/2.3.update-alz-custom-policy-search.png b/docs/wiki/media/2.3.update-alz-custom-policy-search.png index 2193a3199e..b080a83601 100644 Binary files a/docs/wiki/media/2.3.update-alz-custom-policy-search.png and b/docs/wiki/media/2.3.update-alz-custom-policy-search.png differ diff --git a/docs/wiki/media/2023-10-30_RepoTags.png b/docs/wiki/media/2023-10-30_RepoTags.png new file mode 100644 index 0000000000..a4d6b8c3e6 Binary files /dev/null and b/docs/wiki/media/2023-10-30_RepoTags.png differ diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx new file mode 100644 index 0000000000..ef277d5bea Binary files /dev/null and b/docs/wiki/media/ALZ Policy Assignments v2.xlsx differ diff --git a/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg b/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg new file mode 100644 index 0000000000..af18ad250f Binary files /dev/null and b/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg differ diff --git a/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg b/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg new file mode 100644 index 0000000000..c7e930ae4e Binary files /dev/null and b/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg differ diff --git a/docs/wiki/media/ActiveActive.png b/docs/wiki/media/ActiveActive.png new file mode 100644 index 0000000000..9e6d903a2d Binary files /dev/null and b/docs/wiki/media/ActiveActive.png differ diff --git a/docs/wiki/media/AzGovViz-ALZ-Policy.png b/docs/wiki/media/AzGovViz-ALZ-Policy.png new file mode 100644 index 0000000000..227639700b Binary files /dev/null and b/docs/wiki/media/AzGovViz-ALZ-Policy.png differ diff --git a/docs/wiki/media/Decom_v0.1.jpg b/docs/wiki/media/Decom_v0.1.jpg deleted file mode 100644 index e0fbe66e12..0000000000 Binary files a/docs/wiki/media/Decom_v0.1.jpg and /dev/null differ diff --git a/docs/wiki/media/Decom_v0.1.svg b/docs/wiki/media/Decom_v0.1.svg new file mode 100644 index 0000000000..7c0d27411f --- /dev/null +++ b/docs/wiki/media/Decom_v0.1.svg @@ -0,0 +1,289 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page-1 + + + Sheet.1066 + + + + Management Groups.1392 + + Sheet.1001 + + + + + + + Sheet.1002 + + + + + + + Sheet.1003 + + + + + + + + + + Sheet.1004 + + Sheet.1005 + + + + + + + Sheet.1006 + + + + + + + + + + Sheet.1007 + + Sheet.1008 + + + + + + + Sheet.1009 + + + + + + + + + Sheet.1010 + + + + + + + Sheet.1011 + + + + + + + Sheet.1012 + + + + + + + Sheet.1013 + + + + + + + + Sheet.1028 + Decommissioned + + + + Decommissioned + + Sheet.1030 + + + + Sheet.1031 + + + + Icon-377PolicySet.1587 + + Sheet.1033 + + Sheet.1034 + + + + Sheet.1035 + + + + Sheet.1036 + + + + Sheet.1037 + + + + Sheet.1038 + + + + Sheet.1039 + + + + Sheet.1040 + + + + Sheet.1041 + + + + Sheet.1042 + + + + Sheet.1043 + + + + Sheet.1044 + + + + Sheet.1045 + + + + Sheet.1046 + + + + Sheet.1047 + + + + + + diff --git a/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg b/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg index c48a3ab90b..ba09cb014f 100644 Binary files a/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg and b/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg differ diff --git a/docs/wiki/media/ESLZ-Company-Prefix.JPG b/docs/wiki/media/ESLZ-Company-Prefix.JPG index 20ccef94bc..c177d07ab2 100644 Binary files a/docs/wiki/media/ESLZ-Company-Prefix.JPG and b/docs/wiki/media/ESLZ-Company-Prefix.JPG differ diff --git a/docs/wiki/media/ESLZ-Company-Prefix.png b/docs/wiki/media/ESLZ-Company-Prefix.png index 232d9a4eb3..1bec22d826 100644 Binary files a/docs/wiki/media/ESLZ-Company-Prefix.png and b/docs/wiki/media/ESLZ-Company-Prefix.png differ diff --git a/docs/wiki/media/MgmtGroups_Policies_v0.1.jpg b/docs/wiki/media/MgmtGroups_Policies_v0.1.jpg deleted file mode 100644 index 76101eda38..0000000000 Binary files a/docs/wiki/media/MgmtGroups_Policies_v0.1.jpg and /dev/null differ diff --git a/docs/wiki/media/MgmtGroups_Policies_v0.1.svg b/docs/wiki/media/MgmtGroups_Policies_v0.1.svg new file mode 100644 index 0000000000..2ead48cbc4 --- /dev/null +++ b/docs/wiki/media/MgmtGroups_Policies_v0.1.svg @@ -0,0 +1,3940 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page-1 + + + Sheet.1624 + + + + Sheet.1026 + + + + Management Groups + + Sheet.18 + + + + + + + Sheet.19 + + + + + + + Sheet.20 + + + + + + + + + + Sheet.21 + + Sheet.22 + + + + + + + Sheet.23 + + + + + + + + + + Sheet.24 + + Sheet.25 + + + + + + + Sheet.26 + + + + + + + + + Sheet.27 + + + + + + + Sheet.28 + + + + + + + Sheet.29 + + + + + + + Sheet.30 + + + + + + + + Policy.1002 + + Sheet.1003 + + + + + + + Sheet.1004 + + + + + + + Sheet.1005 + + + + + + + Sheet.1006 + + + + + + + Sheet.1007 + + + + + + + Sheet.1008 + + + + + + + Sheet.1009 + + + + + + + Sheet.1010 + + + + + + + + Sheet.1024 + Policy Definition (i.e. Policies) + + + + Policy Definition (i.e. Policies) + + Sheet.1025 + Policy Set Definition (i.e. Initiatives) + + + + Policy Set Definition (i.e. Initiatives) + + Sheet.1027 + + + + Management Groups.1064 + + Sheet.1065 + + + + + + + Sheet.1066 + + + + + + + Sheet.1067 + + + + + + + + + + Sheet.1068 + + Sheet.1069 + + + + + + + Sheet.1070 + + + + + + + + + + Sheet.1071 + + Sheet.1072 + + + + + + + Sheet.1073 + + + + + + + + + Sheet.1074 + + + + + + + Sheet.1075 + + + + + + + Sheet.1076 + + + + + + + Sheet.1077 + + + + + + + + Sheet.1102 + + + + Sheet.1103 + + + + Sheet.1104 + Tenant Root + + + + Tenant Root + + Sheet.1105 + Intermediate Root + + + + Intermediate Root + + Management Groups.1106 + + Sheet.1107 + + + + + + + Sheet.1108 + + + + + + + Sheet.1109 + + + + + + + + + + Sheet.1110 + + Sheet.1111 + + + + + + + Sheet.1112 + + + + + + + + + + Sheet.1113 + + Sheet.1114 + + + + + + + Sheet.1115 + + + + + + + + + Sheet.1116 + + + + + + + Sheet.1117 + + + + + + + Sheet.1118 + + + + + + + Sheet.1119 + + + + + + + + Sheet.1120 + + + + Sheet.1121 + + + + Sheet.1122 + + + + Sheet.1124 + + + + Sheet.1125 + + + + Icon-377PolicySet.1142 + + Sheet.1143 + + Sheet.1144 + + + + Sheet.1145 + + + + Sheet.1146 + + + + Sheet.1147 + + + + Sheet.1148 + + + + Sheet.1149 + + + + Sheet.1150 + + + + Sheet.1151 + + + + Sheet.1152 + + + + Sheet.1153 + + + + Sheet.1154 + + + + Sheet.1155 + + + + Sheet.1156 + + + + Sheet.1157 + + + + + + Sheet.1183 + + + + Policy.1184 + + Sheet.1185 + + + + + + + Sheet.1186 + + + + + + + Sheet.1187 + + + + + + + Sheet.1188 + + + + + + + Sheet.1189 + + + + + + + Sheet.1190 + + + + + + + Sheet.1191 + + + + + + + Sheet.1192 + + + + + + + + Icon-377PolicySet.1193 + + Sheet.1194 + + Sheet.1195 + + + + Sheet.1196 + + + + Sheet.1197 + + + + Sheet.1198 + + + + Sheet.1199 + + + + Sheet.1200 + + + + Sheet.1201 + + + + Sheet.1202 + + + + Sheet.1203 + + + + Sheet.1204 + + + + Sheet.1205 + + + + Sheet.1206 + + + + Sheet.1207 + + + + Sheet.1208 + + + + + + Management Groups.1209 + + Sheet.1210 + + + + + + + Sheet.1211 + + + + + + + Sheet.1212 + + + + + + + + + + Sheet.1213 + + Sheet.1214 + + + + + + + Sheet.1215 + + + + + + + + + + Sheet.1216 + + Sheet.1217 + + + + + + + Sheet.1218 + + + + + + + + + Sheet.1219 + + + + + + + Sheet.1220 + + + + + + + Sheet.1221 + + + + + + + Sheet.1222 + + + + + + + + Sheet.1223 + + + + Sheet.1224 + + + + Policy.1225 + + Sheet.1226 + + + + + + + Sheet.1227 + + + + + + + Sheet.1228 + + + + + + + Sheet.1229 + + + + + + + Sheet.1230 + + + + + + + Sheet.1231 + + + + + + + Sheet.1232 + + + + + + + Sheet.1233 + + + + + + + + Icon-377PolicySet.1234 + + Sheet.1235 + + Sheet.1236 + + + + Sheet.1237 + + + + Sheet.1238 + + + + Sheet.1239 + + + + Sheet.1240 + + + + Sheet.1241 + + + + Sheet.1242 + + + + Sheet.1243 + + + + Sheet.1244 + + + + Sheet.1245 + + + + Sheet.1246 + + + + Sheet.1247 + + + + Sheet.1248 + + + + Sheet.1249 + + + + + + Sheet.1250 + + + + Sheet.1251 + + + + Policy.1252 + + Sheet.1253 + + + + + + + Sheet.1254 + + + + + + + Sheet.1255 + + + + + + + Sheet.1256 + + + + + + + Sheet.1257 + + + + + + + Sheet.1258 + + + + + + + Sheet.1259 + + + + + + + Sheet.1260 + + + + + + + + Management Groups.1277 + + Sheet.1278 + + + + + + + Sheet.1279 + + + + + + + Sheet.1280 + + + + + + + + + + Sheet.1281 + + Sheet.1282 + + + + + + + Sheet.1283 + + + + + + + + + + Sheet.1284 + + Sheet.1285 + + + + + + + Sheet.1286 + + + + + + + + + Sheet.1287 + + + + + + + Sheet.1288 + + + + + + + Sheet.1289 + + + + + + + Sheet.1290 + + + + + + + + Sheet.1291 + + + + Sheet.1292 + + + + Policy.1293 + + Sheet.1294 + + + + + + + Sheet.1295 + + + + + + + Sheet.1296 + + + + + + + Sheet.1297 + + + + + + + Sheet.1298 + + + + + + + Sheet.1299 + + + + + + + Sheet.1300 + + + + + + + Sheet.1301 + + + + + + + + Management Groups.1302 + + Sheet.1303 + + + + + + + Sheet.1304 + + + + + + + Sheet.1305 + + + + + + + + + + Sheet.1306 + + Sheet.1307 + + + + + + + Sheet.1308 + + + + + + + + + + Sheet.1309 + + Sheet.1310 + + + + + + + Sheet.1311 + + + + + + + + + Sheet.1312 + + + + + + + Sheet.1313 + + + + + + + Sheet.1314 + + + + + + + Sheet.1315 + + + + + + + + Sheet.1316 + + + + Sheet.1317 + + + + Policy.1318 + + Sheet.1319 + + + + + + + Sheet.1320 + + + + + + + Sheet.1321 + + + + + + + Sheet.1322 + + + + + + + Sheet.1323 + + + + + + + Sheet.1324 + + + + + + + Sheet.1325 + + + + + + + Sheet.1326 + + + + + + + + Sheet.1327 + Platform + + + + Platform + + Sheet.1328 + Connectivity + + + + Connectivity + + Sheet.1329 + Management + + + + Management + + Sheet.1331 + Identity + + + + Identity + + Subscriptions.1332 + + Sheet.1333 + + + + + + + Sheet.1334 + + + + + + + Sheet.1335 + + + + + + + Sheet.1336 + + + + + + + + Subscriptions.1337 + + Sheet.1338 + + + + + + + Sheet.1339 + + + + + + + Sheet.1340 + + + + + + + Sheet.1341 + + + + + + + + Subscriptions.1342 + + Sheet.1343 + + + + + + + Sheet.1344 + + + + + + + Sheet.1345 + + + + + + + Sheet.1346 + + + + + + + + Sheet.1347 + + + + Sheet.1348 + + + + Sheet.1349 + + + + Management Groups.1350 + + Sheet.1351 + + + + + + + Sheet.1352 + + + + + + + Sheet.1353 + + + + + + + + + + Sheet.1354 + + Sheet.1355 + + + + + + + Sheet.1356 + + + + + + + + + + Sheet.1357 + + Sheet.1358 + + + + + + + Sheet.1359 + + + + + + + + + Sheet.1360 + + + + + + + Sheet.1361 + + + + + + + Sheet.1362 + + + + + + + Sheet.1363 + + + + + + + + Management Groups.1364 + + Sheet.1365 + + + + + + + Sheet.1366 + + + + + + + Sheet.1367 + + + + + + + + + + Sheet.1368 + + Sheet.1369 + + + + + + + Sheet.1370 + + + + + + + + + + Sheet.1371 + + Sheet.1372 + + + + + + + Sheet.1373 + + + + + + + + + Sheet.1374 + + + + + + + Sheet.1375 + + + + + + + Sheet.1376 + + + + + + + Sheet.1377 + + + + + + + + Management Groups.1378 + + Sheet.1379 + + + + + + + Sheet.1380 + + + + + + + Sheet.1381 + + + + + + + + + + Sheet.1382 + + Sheet.1383 + + + + + + + Sheet.1384 + + + + + + + + + + Sheet.1385 + + Sheet.1386 + + + + + + + Sheet.1387 + + + + + + + + + Sheet.1388 + + + + + + + Sheet.1389 + + + + + + + Sheet.1390 + + + + + + + Sheet.1391 + + + + + + + + Management Groups.1392 + + Sheet.1393 + + + + + + + Sheet.1394 + + + + + + + Sheet.1395 + + + + + + + + + + Sheet.1396 + + Sheet.1397 + + + + + + + Sheet.1398 + + + + + + + + + + Sheet.1399 + + Sheet.1400 + + + + + + + Sheet.1401 + + + + + + + + + Sheet.1402 + + + + + + + Sheet.1403 + + + + + + + Sheet.1404 + + + + + + + Sheet.1405 + + + + + + + + Management Groups.1406 + + Sheet.1407 + + + + + + + Sheet.1408 + + + + + + + Sheet.1409 + + + + + + + + + + Sheet.1410 + + Sheet.1411 + + + + + + + Sheet.1412 + + + + + + + + + + Sheet.1413 + + Sheet.1414 + + + + + + + Sheet.1415 + + + + + + + + + Sheet.1416 + + + + + + + Sheet.1417 + + + + + + + Sheet.1418 + + + + + + + Sheet.1419 + + + + + + + + Sheet.1420 + + + + Sheet.1421 + Landing Zones + + + + Landing Zones + + Sheet.1422 + + + + Sheet.1423 + + + + Sheet.1425 + + + + Sheet.1426 + + + + Policy.1427 + + Sheet.1428 + + + + + + + Sheet.1429 + + + + + + + Sheet.1430 + + + + + + + Sheet.1431 + + + + + + + Sheet.1432 + + + + + + + Sheet.1433 + + + + + + + Sheet.1434 + + + + + + + Sheet.1435 + + + + + + + + Icon-377PolicySet.1436 + + Sheet.1437 + + Sheet.1438 + + + + Sheet.1439 + + + + Sheet.1440 + + + + Sheet.1441 + + + + Sheet.1442 + + + + Sheet.1443 + + + + Sheet.1444 + + + + Sheet.1445 + + + + Sheet.1446 + + + + Sheet.1447 + + + + Sheet.1448 + + + + Sheet.1449 + + + + Sheet.1450 + + + + Sheet.1451 + + + + + + Sheet.1452 + Corp + + + + Corp + + Sheet.1453 + Online + + + + Online + + Subscriptions.1454 + + Sheet.1455 + + + + + + + Sheet.1456 + + + + + + + Sheet.1457 + + + + + + + Sheet.1458 + + + + + + + + Subscriptions.1459 + + Sheet.1460 + + + + + + + Sheet.1461 + + + + + + + Sheet.1462 + + + + + + + Sheet.1463 + + + + + + + + Subscriptions.1464 + + Sheet.1465 + + + + + + + Sheet.1466 + + + + + + + Sheet.1467 + + + + + + + Sheet.1468 + + + + + + + + Subscriptions.1469 + + Sheet.1470 + + + + + + + Sheet.1471 + + + + + + + Sheet.1472 + + + + + + + Sheet.1473 + + + + + + + + Subscriptions.1474 + + Sheet.1475 + + + + + + + Sheet.1476 + + + + + + + Sheet.1477 + + + + + + + Sheet.1478 + + + + + + + + Subscriptions.1479 + + Sheet.1480 + + + + + + + Sheet.1481 + + + + + + + Sheet.1482 + + + + + + + Sheet.1483 + + + + + + + + Subscriptions.1484 + + Sheet.1485 + + + + + + + Sheet.1486 + + + + + + + Sheet.1487 + + + + + + + Sheet.1488 + + + + + + + + Subscriptions.1489 + + Sheet.1490 + + + + + + + Sheet.1491 + + + + + + + Sheet.1492 + + + + + + + Sheet.1493 + + + + + + + + Subscriptions.1494 + + Sheet.1495 + + + + + + + Sheet.1496 + + + + + + + Sheet.1497 + + + + + + + Sheet.1498 + + + + + + + + Subscriptions.1499 + + Sheet.1500 + + + + + + + Sheet.1501 + + + + + + + Sheet.1502 + + + + + + + Sheet.1503 + + + + + + + + Subscriptions.1504 + + Sheet.1505 + + + + + + + Sheet.1506 + + + + + + + Sheet.1507 + + + + + + + Sheet.1508 + + + + + + + + Subscriptions.1509 + + Sheet.1510 + + + + + + + Sheet.1511 + + + + + + + Sheet.1512 + + + + + + + Sheet.1513 + + + + + + + + Subscriptions.1514 + + Sheet.1515 + + + + + + + Sheet.1516 + + + + + + + Sheet.1517 + + + + + + + Sheet.1518 + + + + + + + + Subscriptions.1519 + + Sheet.1520 + + + + + + + Sheet.1521 + + + + + + + Sheet.1522 + + + + + + + Sheet.1523 + + + + + + + + Subscriptions.1524 + + Sheet.1525 + + + + + + + Sheet.1526 + + + + + + + Sheet.1527 + + + + + + + Sheet.1528 + + + + + + + + Subscriptions.1529 + + Sheet.1530 + + + + + + + Sheet.1531 + + + + + + + Sheet.1532 + + + + + + + Sheet.1533 + + + + + + + + Subscriptions.1534 + + Sheet.1535 + + + + + + + Sheet.1536 + + + + + + + Sheet.1537 + + + + + + + Sheet.1538 + + + + + + + + Subscriptions.1539 + + Sheet.1540 + + + + + + + Sheet.1541 + + + + + + + Sheet.1542 + + + + + + + Sheet.1543 + + + + + + + + Sheet.1544 + Decommissioned + + + + Decommissioned + + Sheet.1545 + Sandbox + + + + Sandbox + + Subscriptions.1546 + + Sheet.1547 + + + + + + + Sheet.1548 + + + + + + + Sheet.1549 + + + + + + + Sheet.1550 + + + + + + + + Subscriptions.1551 + + Sheet.1552 + + + + + + + Sheet.1553 + + + + + + + Sheet.1554 + + + + + + + Sheet.1555 + + + + + + + + Subscriptions.1556 + + Sheet.1557 + + + + + + + Sheet.1558 + + + + + + + Sheet.1559 + + + + + + + Sheet.1560 + + + + + + + + Subscriptions.1561 + + Sheet.1562 + + + + + + + Sheet.1563 + + + + + + + Sheet.1564 + + + + + + + Sheet.1565 + + + + + + + + Subscriptions.1566 + + Sheet.1567 + + + + + + + Sheet.1568 + + + + + + + Sheet.1569 + + + + + + + Sheet.1570 + + + + + + + + Subscriptions.1571 + + Sheet.1572 + + + + + + + Sheet.1573 + + + + + + + Sheet.1574 + + + + + + + Sheet.1575 + + + + + + + + Sheet.1576 + + + + Sheet.1577 + + + + Icon-377PolicySet.1587 + + Sheet.1588 + + Sheet.1589 + + + + Sheet.1590 + + + + Sheet.1591 + + + + Sheet.1592 + + + + Sheet.1593 + + + + Sheet.1594 + + + + Sheet.1595 + + + + Sheet.1596 + + + + Sheet.1597 + + + + Sheet.1598 + + + + Sheet.1599 + + + + Sheet.1600 + + + + Sheet.1601 + + + + Sheet.1602 + + + + + + Sheet.1603 + + + + Sheet.1604 + + + + Icon-377PolicySet.1605 + + Sheet.1606 + + Sheet.1607 + + + + Sheet.1608 + + + + Sheet.1609 + + + + Sheet.1610 + + + + Sheet.1611 + + + + Sheet.1612 + + + + Sheet.1613 + + + + Sheet.1614 + + + + Sheet.1615 + + + + Sheet.1616 + + + + Sheet.1617 + + + + Sheet.1618 + + + + Sheet.1619 + + + + Sheet.1620 + + + + + + Sheet.1621 + + + + Sheet.1622 + + + + Sheet.1623 + + + + Sheet.1625 + + + + Sheet.1626 + + + + Icon-377PolicySet.1627 + + Sheet.1628 + + Sheet.1629 + + + + Sheet.1630 + + + + Sheet.1631 + + + + Sheet.1632 + + + + Sheet.1633 + + + + Sheet.1634 + + + + Sheet.1635 + + + + Sheet.1636 + + + + Sheet.1637 + + + + Sheet.1638 + + + + Sheet.1639 + + + + Sheet.1640 + + + + Sheet.1641 + + + + Sheet.1642 + + + + + + diff --git a/docs/wiki/media/Platform_v0.1.jpg b/docs/wiki/media/Platform_v0.1.jpg deleted file mode 100644 index 9755568a81..0000000000 Binary files a/docs/wiki/media/Platform_v0.1.jpg and /dev/null differ diff --git a/docs/wiki/media/Platform_v0.1.svg b/docs/wiki/media/Platform_v0.1.svg new file mode 100644 index 0000000000..421a09b13b --- /dev/null +++ b/docs/wiki/media/Platform_v0.1.svg @@ -0,0 +1,289 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page-1 + + + Sheet.1068 + + + + Management Groups.1069 + + Sheet.1070 + + + + + + + Sheet.1071 + + + + + + + Sheet.1072 + + + + + + + + + + Sheet.1073 + + Sheet.1074 + + + + + + + Sheet.1075 + + + + + + + + + + Sheet.1076 + + Sheet.1077 + + + + + + + Sheet.1078 + + + + + + + + + Sheet.1079 + + + + + + + Sheet.1080 + + + + + + + Sheet.1081 + + + + + + + Sheet.1082 + + + + + + + + Sheet.1083 + Platform + + + + Platform + + Sheet.1084 + + + + Sheet.1085 + + + + Icon-377PolicySet.1086 + + Sheet.1087 + + Sheet.1088 + + + + Sheet.1089 + + + + Sheet.1090 + + + + Sheet.1091 + + + + Sheet.1092 + + + + Sheet.1093 + + + + Sheet.1094 + + + + Sheet.1095 + + + + Sheet.1096 + + + + Sheet.1097 + + + + Sheet.1098 + + + + Sheet.1099 + + + + Sheet.1100 + + + + Sheet.1101 + + + + + + diff --git a/docs/wiki/media/Sandbox_v0.1.jpg b/docs/wiki/media/Sandbox_v0.1.jpg deleted file mode 100644 index 9644e3ca3a..0000000000 Binary files a/docs/wiki/media/Sandbox_v0.1.jpg and /dev/null differ diff --git a/docs/wiki/media/Sandbox_v0.1.svg b/docs/wiki/media/Sandbox_v0.1.svg new file mode 100644 index 0000000000..53fed23915 --- /dev/null +++ b/docs/wiki/media/Sandbox_v0.1.svg @@ -0,0 +1,290 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page-1 + + + Sheet.1067 + + + + Management Groups.1406 + + Sheet.1015 + + + + + + + Sheet.1016 + + + + + + + Sheet.1017 + + + + + + + + + + Sheet.1018 + + Sheet.1019 + + + + + + + Sheet.1020 + + + + + + + + + + Sheet.1021 + + Sheet.1022 + + + + + + + Sheet.1023 + + + + + + + + + Sheet.1024 + + + + + + + Sheet.1025 + + + + + + + Sheet.1026 + + + + + + + Sheet.1027 + + + + + + + + Sheet.1029 + Sandbox + + + + Sandbox + + Sheet.1048 + + + + Sheet.1049 + + + + Icon-377PolicySet.1605 + + Sheet.1051 + + Sheet.1052 + + + + Sheet.1053 + + + + Sheet.1054 + + + + Sheet.1055 + + + + Sheet.1056 + + + + Sheet.1057 + + + + Sheet.1058 + + + + Sheet.1059 + + + + Sheet.1060 + + + + Sheet.1061 + + + + Sheet.1062 + + + + Sheet.1063 + + + + Sheet.1064 + + + + Sheet.1065 + + + + + + diff --git a/docs/wiki/media/WN-RBACCleanup.png b/docs/wiki/media/WN-RBACCleanup.png new file mode 100644 index 0000000000..f1dc8cf2a7 Binary files /dev/null and b/docs/wiki/media/WN-RBACCleanup.png differ diff --git a/docs/wiki/media/alz-contrib-portal1.png b/docs/wiki/media/alz-contrib-portal1.png new file mode 100644 index 0000000000..3cbd206370 Binary files /dev/null and b/docs/wiki/media/alz-contrib-portal1.png differ diff --git a/docs/wiki/media/alz-portal-baselinealerts.jpg b/docs/wiki/media/alz-portal-baselinealerts.jpg new file mode 100644 index 0000000000..6b7244cfc9 Binary files /dev/null and b/docs/wiki/media/alz-portal-baselinealerts.jpg differ diff --git a/docs/wiki/media/alz-portal-decommsandbox.jpg b/docs/wiki/media/alz-portal-decommsandbox.jpg new file mode 100644 index 0000000000..de2d2b20f8 Binary files /dev/null and b/docs/wiki/media/alz-portal-decommsandbox.jpg differ diff --git a/docs/wiki/media/alz-portal-landingzones.jpg b/docs/wiki/media/alz-portal-landingzones.jpg new file mode 100644 index 0000000000..7eb7fa2379 Binary files /dev/null and b/docs/wiki/media/alz-portal-landingzones.jpg differ diff --git a/docs/wiki/media/ama-migrate-whatif.gif b/docs/wiki/media/ama-migrate-whatif.gif new file mode 100644 index 0000000000..af3cbf7fef Binary files /dev/null and b/docs/wiki/media/ama-migrate-whatif.gif differ diff --git a/docs/wiki/media/ama-migrate.gif b/docs/wiki/media/ama-migrate.gif new file mode 100644 index 0000000000..7ee7660968 Binary files /dev/null and b/docs/wiki/media/ama-migrate.gif differ diff --git a/docs/wiki/media/ama-update-whatif.gif b/docs/wiki/media/ama-update-whatif.gif new file mode 100644 index 0000000000..a0a3ac9087 Binary files /dev/null and b/docs/wiki/media/ama-update-whatif.gif differ diff --git a/docs/wiki/media/ama-update.gif b/docs/wiki/media/ama-update.gif new file mode 100644 index 0000000000..8d4a0fd120 Binary files /dev/null and b/docs/wiki/media/ama-update.gif differ diff --git a/docs/wiki/media/clip_image010.jpg b/docs/wiki/media/clip_image010.jpg index f4eed32bdd..f9efeef989 100644 Binary files a/docs/wiki/media/clip_image010.jpg and b/docs/wiki/media/clip_image010.jpg differ diff --git a/docs/wiki/media/clip_image014-singlesubscription.jpg b/docs/wiki/media/clip_image014-singlesubscription.jpg index 61e952b935..d5db5542e6 100644 Binary files a/docs/wiki/media/clip_image014-singlesubscription.jpg and b/docs/wiki/media/clip_image014-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image014.jpg b/docs/wiki/media/clip_image014.jpg index be5f7c9993..0522465cc5 100644 Binary files a/docs/wiki/media/clip_image014.jpg and b/docs/wiki/media/clip_image014.jpg differ diff --git a/docs/wiki/media/clip_image014lzc.jpg b/docs/wiki/media/clip_image014lzc.jpg deleted file mode 100644 index b2ab8e0698..0000000000 Binary files a/docs/wiki/media/clip_image014lzc.jpg and /dev/null differ diff --git a/docs/wiki/media/clip_image036b-0-singlesubscription.png b/docs/wiki/media/clip_image036b-0-singlesubscription.png index 699fc558a6..3199dea8d6 100644 Binary files a/docs/wiki/media/clip_image036b-0-singlesubscription.png and b/docs/wiki/media/clip_image036b-0-singlesubscription.png differ diff --git a/docs/wiki/media/clip_image036c-singlesubscription.png b/docs/wiki/media/clip_image036c-singlesubscription.png index 40526397d9..70245fd4e1 100644 Binary files a/docs/wiki/media/clip_image036c-singlesubscription.png and b/docs/wiki/media/clip_image036c-singlesubscription.png differ diff --git a/docs/wiki/media/clip_image037-3-singlesubscription.jpg b/docs/wiki/media/clip_image037-3-singlesubscription.jpg index b9c80a4610..fee78b8628 100644 Binary files a/docs/wiki/media/clip_image037-3-singlesubscription.jpg and b/docs/wiki/media/clip_image037-3-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image037-4-singlesubscription.jpg b/docs/wiki/media/clip_image037-4-singlesubscription.jpg index be1841b7cd..78826ff3ad 100644 Binary files a/docs/wiki/media/clip_image037-4-singlesubscription.jpg and b/docs/wiki/media/clip_image037-4-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image037-6-singlesubscription.jpg b/docs/wiki/media/clip_image037-6-singlesubscription.jpg new file mode 100644 index 0000000000..5df247cb37 Binary files /dev/null and b/docs/wiki/media/clip_image037-6-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image039-singlesubscription.jpg b/docs/wiki/media/clip_image039-singlesubscription.jpg index b3234cd358..c1cc13f603 100644 Binary files a/docs/wiki/media/clip_image039-singlesubscription.jpg and b/docs/wiki/media/clip_image039-singlesubscription.jpg differ diff --git a/docs/wiki/media/clip_image039.jpg b/docs/wiki/media/clip_image039.jpg index a51e1cf287..2afa8a73e9 100644 Binary files a/docs/wiki/media/clip_image039.jpg and b/docs/wiki/media/clip_image039.jpg differ diff --git a/docs/wiki/media/clip_image080.png b/docs/wiki/media/clip_image080.png new file mode 100644 index 0000000000..4747e08e5a Binary files /dev/null and b/docs/wiki/media/clip_image080.png differ diff --git a/docs/wiki/media/clip_image081.png b/docs/wiki/media/clip_image081.png new file mode 100644 index 0000000000..85ee27aac8 Binary files /dev/null and b/docs/wiki/media/clip_image081.png differ diff --git a/docs/wiki/media/clip_image082.png b/docs/wiki/media/clip_image082.png new file mode 100644 index 0000000000..39139bada3 Binary files /dev/null and b/docs/wiki/media/clip_image082.png differ diff --git a/docs/wiki/media/clip_image083.png b/docs/wiki/media/clip_image083.png new file mode 100644 index 0000000000..c178c9d5fb Binary files /dev/null and b/docs/wiki/media/clip_image083.png differ diff --git a/docs/wiki/media/clip_image084.png b/docs/wiki/media/clip_image084.png new file mode 100644 index 0000000000..79e9e1be21 Binary files /dev/null and b/docs/wiki/media/clip_image084.png differ diff --git a/docs/wiki/media/clip_image085.png b/docs/wiki/media/clip_image085.png new file mode 100644 index 0000000000..b97f2b96f1 Binary files /dev/null and b/docs/wiki/media/clip_image085.png differ diff --git a/docs/wiki/media/community-calls/april-2023/ALZ-Community-Call-27-04-2023.pdf b/docs/wiki/media/community-calls/april-2023/ALZ-Community-Call-27-04-2023.pdf new file mode 100644 index 0000000000..83811db315 Binary files /dev/null and b/docs/wiki/media/community-calls/april-2023/ALZ-Community-Call-27-04-2023.pdf differ diff --git a/docs/wiki/media/community-calls/april-2023/alz-april-2023-youtube-screenshot.png b/docs/wiki/media/community-calls/april-2023/alz-april-2023-youtube-screenshot.png new file mode 100644 index 0000000000..10d390099d Binary files /dev/null and b/docs/wiki/media/community-calls/april-2023/alz-april-2023-youtube-screenshot.png differ diff --git a/docs/wiki/media/community-calls/dec-2023/ALZ-Community-Call-06122023.pdf b/docs/wiki/media/community-calls/dec-2023/ALZ-Community-Call-06122023.pdf new file mode 100644 index 0000000000..3f49967b6d Binary files /dev/null and b/docs/wiki/media/community-calls/dec-2023/ALZ-Community-Call-06122023.pdf differ diff --git a/docs/wiki/media/community-calls/dec-2023/youtube-screenshot.png b/docs/wiki/media/community-calls/dec-2023/youtube-screenshot.png new file mode 100644 index 0000000000..1e936b9bc5 Binary files /dev/null and b/docs/wiki/media/community-calls/dec-2023/youtube-screenshot.png differ diff --git a/docs/wiki/media/community-calls/june-2024/ALZ-Community-Call-12062024.pdf b/docs/wiki/media/community-calls/june-2024/ALZ-Community-Call-12062024.pdf new file mode 100644 index 0000000000..2c8f308eb6 Binary files /dev/null and b/docs/wiki/media/community-calls/june-2024/ALZ-Community-Call-12062024.pdf differ diff --git a/docs/wiki/media/community-calls/june-2024/youtube-thumbnail.png b/docs/wiki/media/community-calls/june-2024/youtube-thumbnail.png new file mode 100644 index 0000000000..eeda2583f1 Binary files /dev/null and b/docs/wiki/media/community-calls/june-2024/youtube-thumbnail.png differ diff --git a/docs/wiki/media/community-calls/march-2024/ALZ-Community-Call-11032024.pdf b/docs/wiki/media/community-calls/march-2024/ALZ-Community-Call-11032024.pdf new file mode 100644 index 0000000000..9e67d61dd7 Binary files /dev/null and b/docs/wiki/media/community-calls/march-2024/ALZ-Community-Call-11032024.pdf differ diff --git a/docs/wiki/media/community-calls/march-2024/youtube-thumbnail.png b/docs/wiki/media/community-calls/march-2024/youtube-thumbnail.png new file mode 100644 index 0000000000..a5111599c5 Binary files /dev/null and b/docs/wiki/media/community-calls/march-2024/youtube-thumbnail.png differ diff --git a/docs/wiki/media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf b/docs/wiki/media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf new file mode 100644 index 0000000000..5f25424ec2 Binary files /dev/null and b/docs/wiki/media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf differ diff --git a/docs/wiki/media/community-calls/sept-2023/youtube-screenshot.png b/docs/wiki/media/community-calls/sept-2023/youtube-screenshot.png new file mode 100644 index 0000000000..b752173069 Binary files /dev/null and b/docs/wiki/media/community-calls/sept-2023/youtube-screenshot.png differ diff --git a/docs/wiki/media/ef73.jpg b/docs/wiki/media/ef73.jpg new file mode 100644 index 0000000000..e70f7b969e Binary files /dev/null and b/docs/wiki/media/ef73.jpg differ diff --git a/docs/wiki/media/ef73.svg b/docs/wiki/media/ef73.svg new file mode 100644 index 0000000000..f5ba57b38c --- /dev/null +++ b/docs/wiki/media/ef73.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/docs/wiki/media/zt1.png b/docs/wiki/media/zt1.png new file mode 100644 index 0000000000..a7987bb468 Binary files /dev/null and b/docs/wiki/media/zt1.png differ diff --git a/docs/wiki/media/zt2.png b/docs/wiki/media/zt2.png new file mode 100644 index 0000000000..04fda0aa0c Binary files /dev/null and b/docs/wiki/media/zt2.png differ diff --git a/docs/wiki/media/zt3.png b/docs/wiki/media/zt3.png new file mode 100644 index 0000000000..0119e1a956 Binary files /dev/null and b/docs/wiki/media/zt3.png differ diff --git a/docs/wiki/media/zt4.png b/docs/wiki/media/zt4.png new file mode 100644 index 0000000000..d03044a55a Binary files /dev/null and b/docs/wiki/media/zt4.png differ diff --git a/docs/wiki/media/zt5-2.png b/docs/wiki/media/zt5-2.png new file mode 100644 index 0000000000..62ad3c735a Binary files /dev/null and b/docs/wiki/media/zt5-2.png differ diff --git a/docs/wiki/media/zt5.png b/docs/wiki/media/zt5.png new file mode 100644 index 0000000000..92f3e1f082 Binary files /dev/null and b/docs/wiki/media/zt5.png differ diff --git a/docs/wiki/media/zt6.png b/docs/wiki/media/zt6.png new file mode 100644 index 0000000000..9a6cbe3110 Binary files /dev/null and b/docs/wiki/media/zt6.png differ diff --git a/docs/wiki/media/zt7.png b/docs/wiki/media/zt7.png new file mode 100644 index 0000000000..851471109c Binary files /dev/null and b/docs/wiki/media/zt7.png differ diff --git a/docs/wiki/media/zt8.png b/docs/wiki/media/zt8.png new file mode 100644 index 0000000000..72b766e49b Binary files /dev/null and b/docs/wiki/media/zt8.png differ diff --git a/docs/wiki/media/zt9.png b/docs/wiki/media/zt9.png new file mode 100644 index 0000000000..5ae98e1da8 Binary files /dev/null and b/docs/wiki/media/zt9.png differ diff --git a/eslzArm/README.md b/eslzArm/README.md index b70ac760b7..81ef80a64a 100644 --- a/eslzArm/README.md +++ b/eslzArm/README.md @@ -1,394 +1,6 @@ # Enterprise-Scale Landing Zones ARM templates -> The Bicep version is now available in Public Preview here: [https://github.com/Azure/ALZ-Bicep](https://github.com/Azure/ALZ-Bicep) +> The content that was previously here has been archived as it is no longer relevant. Please follow the guidance in the [ALZ Wiki](https://aka.ms/alz/wiki) for the latest information on how to deploy Enterprise-Scale Landing Zones. +> To view the content that was previously here, refer to the [archive](https://github.com/Azure/Enterprise-Scale/blob/45d5c2bd8c1a9e19b1a46a3a0dabb311e5320b64/eslzArm/README.md). -This folder contains the first-party ARM templates for Enterprise-Scale which and are being used when deploying and bootstrapping in the Azure Portal, which is our recommendation as it will 1) save you tremendous amount of time, 2) accelerate your journey, and 3) optionally bootstrap your GitHub repository with ready-to-use ARM templates if you want to pivot to infrastructure-as-code post deployment. - -For customers who cannot deploy via portal, but rather want to clone the repository and sequence the deployments on their own using the same ARM templates, they can follow the manual deployment instructions below. - -> **Note:** There's a strict sequencing required in order to achieve the same outcome as when deploying via the Azure portal, and any modification and changes to the templates are not supported. - -## Do-It-Yourself deployment instructions for Enterprise-Scale using Azure PowerShell - -Prerequisites: - -* [Azure PowerShell module](https://learn.microsoft.com/powershell/azure/install-az-ps?view=azps-6.3.0) -* [Sign in and get started](https://learn.microsoft.com/powershell/azure/get-started-azureps?view=azps-6.3.0#sign-in-to-azure) -* [Configure Azure permissions for ARM tenant deployments](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md) -* [How to clone a GitHub repository](https://docs.github.com/github/creating-cloning-and-archiving-repositories/cloning-a-repository-from-github/cloning-a-repository) - -There are two sets of instructions; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to minor difference in services which are available in Azure global and in Azure China, but the feature parity gap is narrowing. Here are the quick links to bring you to the specific set of instructions: - -1. [Deploying in Azure global regions](#deploying-in-azure-global-regions) -2. [Deploying in Azure China regions](./README-AzureChina.md) - -#### Deploying in Azure global regions - -````powershell - -# Do-It-Yourself instructions for deploying Enterprise-Scale in Azure global regions - -# Change the variables below to contain the right values for your tenant, subscription, address space etc. - -$ESLZPrefix = "ESLZ" -$Location = "westeurope" -$DeploymentName = "EntScale" -$TenantRootGroupId = (Get-AzTenant).Id -$ManagementSubscriptionId = "" -$ConnectivitySubscriptionId = "" -$ConnectivityAddressPrefix = "" -$IdentitySubscriptionId = "" -$SecurityContactEmailAddress = "" -$CorpConnectedLandingZoneSubscriptionId = "" -$OnlineLandingZoneSubscriptionId = "" - -# Deploying management group structure for Enterprise-Scale - -New-AzManagementGroupDeployment -Name $DeploymentName ` - -ManagementGroupId $TenantRootGroupId ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\mgmtGroupStructure\mgmtGroups.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -Verbose - -# Deploy core policy definitions to ESLZ intermediate root management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-policy1" ` - -ManagementGroupId $ESLZPrefix ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyDefinitions\policies.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -Verbose - -# Deploy policy initiative for preventing usage of public endpoint for Azure PaaS services - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-policy2" ` - -ManagementGroupId $ESLZPrefix ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyDefinitions\DENY-PublicEndpointsPolicySetDefinition.json ` - -Verbose - -# Deploying policy initiative for associating private DNS zones with private endpoints for Azure PaaS services - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-policy3" ` - -ManagementGroupId $ESLZPrefix ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyDefinitions\DINE-PrivateDNSZonesPolicySetDefinition.json ` - -Verbose - -# Add dedicated subscription for platform management - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-mgsub" ` - -ManagementGroupId "$($ESLZPrefix)-management" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\subscriptionOrganization\subscriptionOrganization.json ` - -targetManagementGroupId "$($ESLZPrefix)-management" ` - -subscriptionId $ManagementSubscriptionId ` - -Verbose - -# Add dedicated subscription for platform connectivity - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-connsub" ` - -ManagementGroupId "$($ESLZPrefix)-connectivity" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\subscriptionOrganization\subscriptionOrganization.json ` - -targetManagementGroupId "$($ESLZPrefix)-connectivity" ` - -subscriptionId $ConnectivitySubscriptionId ` - -Verbose - -# Add dedicated subscription for platform identity - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-idsub" ` - -ManagementGroupId "$($ESLZPrefix)-identity" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\subscriptionOrganization\subscriptionOrganization.json ` - -targetManagementGroupId "$($ESLZPrefix)-identity" ` - -subscriptionId $IdentitySubscriptionId ` - -Verbose - -# Deploy Log Analytics Workspace to the platform management subscription - -Select-AzSubscription -SubscriptionName $ManagementSubscriptionId - -New-AzSubscriptionDeployment -Name "$($DeploymentName)-la" ` - -Location $Location ` - -TemplateFile .\eslzArm\subscriptionTemplates\logAnalyticsWorkspace.json ` - -rgName "$($ESLZPrefix)-mgmt" ` - -workspaceName "$($ESLZPrefix)-law" ` - -workspaceRegion $Location ` - -retentionInDays "30" ` - -automationAccountName "$($ESLZPrefix)-aauto" ` - -automationRegion $Location ` - -Verbose - -# Deploy Log Analytics Solutions to the Log Analytics workspace in the platform management subscription - -Select-AzSubscription -SubscriptionName $ManagementSubscriptionId - -New-AzSubscriptionDeployment -Name "$($DeploymentName)-la-solution" ` - -Location $Location ` - -TemplateFile .\eslzArm\subscriptionTemplates\logAnalyticsSolutions.json ` - -rgName "$($ESLZPrefix)-mgmt" ` - -workspaceName "$($ESLZPrefix)-law" ` - -workspaceRegion $Location ` - -Verbose - -# Assign Azure Policy to enforce Log Analytics workspace on the management, management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-la-policy" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-LogAnalyticsPolicyAssignment.json ` - -retentionInDays "30" ` - -rgName "$($ESLZPrefix)-mgmt" ` - -ManagementGroupId "$($eslzPrefix)-management" ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -logAnalyticsWorkspaceName "$($ESLZPrefix)-law" ` - -workspaceRegion $Location ` - -automationAccountName "$($ESLZPrefix)-aauto" ` - -automationRegion $Location ` - -Verbose - -# Assign Azure Policy to enforce diagnostic settings for subscriptions on top level management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-sub-diag" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-ActivityLogPolicyAssignment.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -logAnalyticsResourceId "/subscriptions/$($ManagementSubscriptionId)/resourceGroups/$($eslzPrefix)-mgmt/providers/Microsoft.OperationalInsights/workspaces/$($eslzPrefix)-law" ` - -ManagementGroupId $ESLZPrefix ` - -Verbose - -# Assign Azure Policy to enforce diagnostic settings for subscriptions on top level management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-resource-diag" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-ResourceDiagnosticsPolicyAssignment.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -logAnalyticsResourceId "/subscriptions/$($ManagementSubscriptionId)/resourceGroups/$($eslzPrefix)-mgmt/providers/Microsoft.OperationalInsights/workspaces/$($eslzPrefix)-law" ` - -ManagementGroupId $ESLZPrefix ` - -Verbose - -# Assign Azure Policy to enforce Azure Security Center configuration enabled on all subscriptions, deployed to top level management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-mdfc-config" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-MDFCConfigPolicyAssignment.json ` - -ManagementGroupId $eslzPrefix ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -logAnalyticsResourceId "/subscriptions/$($ManagementSubscriptionId)/resourceGroups/$($eslzPrefix)-mgmt/providers/Microsoft.OperationalInsights/workspaces/$($eslzPrefix)-law" ` - -enableAscForServers "DeployIfNotExists" ` - -enableAscForSql "DeployIfNotExists" ` - -enableAscForAppServices "DeployIfNotExists" ` - -enableAscForStorage "DeployIfNotExists" ` - -enableAscForContainers "DeployIfNotExists" ` - -enableAscForKeyVault "DeployIfNotExists" ` - -enableAscForSqlOnVm "DeployIfNotExists" ` - -enableAscForArm "DeployIfNotExists" ` - -enableAscForDns "DeployIfNotExists" ` - -enableAscForOssDb "DeployIfNotExists" ` - -emailContactAsc $SecurityContactEmailAddress ` - -Verbose - -# Assign Azure Policy to enable Microsoft Cloud Security Benchmark, deployed to top level management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-asb" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-ASBPolicyAssignment.json ` - -ManagementGroupId $ESLZPrefix ` - -Verbose - -# Create connectivity hub, using traditional hub & spoke in this example - -Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId - -New-AzSubscriptionDeployment -Name "$($DeploymentName)-hubspoke" ` - -Location $Location ` - -TemplateFile .\eslzArm\subscriptionTemplates\hubspoke-connectivity.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -connectivitySubscriptionId $ConnectivitySubscriptionId ` - -addressPrefix $ConnectivityAddressPrefix ` - -enableHub "vhub" ` - -enableAzFw "No" ` - -enableAzFwDnsProxy "No" ` - -enableVpnGw "No" ` - -enableErGw "No" ` - -enableDdoS "No" ` - -Verbose - -# Create Private DNS Zones for Azure PaaS services. Note, you must repeat this deployment for all Azure PaaS services as requested, and an updated table can be found at https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration -# The following example will first create a resource group, and the subsequent deployment will create Private DNS Zone for Storage Account into that resource group - -Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId - -New-AzSubscriptionDeployment -Name "$($DeploymentName)-private-dns-rg" ` - -Location $Location ` - -TemplateFile .\eslzArm\subscriptionTemplates\resourceGroup.json ` - -rgName "$($ESLZPrefix)-privatedns" ` - -locationFromTemplate $Location ` - -Verbose - -New-AzResourceGroupDeployment -Name "$($DeploymentName)-private-dns-storage" ` - -ResourceGroupName "$($ESLZPrefix)-privatedns" ` - -TemplateFile .\eslzArm\resourceGroupTemplates\privateDnsZones.json ` - -connectivityHubResourceId "/subscriptions/$($ConnectivitySubscriptionId)/resourceGroups/$($ESLZPrefix)-vnethub-$($Location)/providers/Microsoft.Network/virtualNetworks/$($ESLZPrefix)-hub-$($Location)" ` - -privateDnsZoneName "privatelink.blob.core.windows.net" ` - -Verbose - -# Assign Azure Policy to prevent public IP usage in the identity subscription - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-public-ip" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-identity" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-PublicIpAddressPolicyAssignment.json ` - -Verbose - -# Assign Azure Policy to enforce VM Backup on VMs in the identity subscription - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-vm-backup" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-identity" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-VMBackupPolicyAssignment.json ` - -topLevelManagementGroupPrefix "idVmBackup" ` - -Verbose - -# Assign Azure Policy to deny RDP access from internet into VMs (domain controllers) in the identity subscription - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-vm-rdp" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-identity" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-RDPFromInternetPolicyAssignment.json ` - -topLevelManagementGroupPrefix $eslzPrefix ` - -Verbose - -# Assign Azure Policy to deny subnets without NSG in the identity subscription - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-subnet-nsg" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-identity" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-SubnetWithoutNsgPolicyAssignment.json ` - -topLevelManagementGroupPrefix $eslzPrefix ` - -Verbose - -# Assign Azure Policy to deny IP forwarding on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-ip-fwd" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-IPForwardingPolicyAssignment.json ` - -Verbose - -# Assign Azure Policy to deny IP deny subnets without NSG on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-lz-subnet-nsg" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-SubnetWithoutNsgPolicyAssignment.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -Verbose - -# Assign Azure Policy to deny RDP access from internet into VMs on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-lz-vm-rdp" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-RDPFromInternetPolicyAssignment.json ` - -topLevelManagementGroupPrefix $eslzPrefix ` - -Verbose - -# Assign Azure Policy to deny usage of storage accounts over http on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-storage-https" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-StorageWithoutHttpsPolicyAssignment.json ` - -Verbose - -# Assign Azure Policy to enforce AKS policy add-on on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-aks-policy" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-AksPolicyPolicyAssignment.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -Verbose - -# Assign Azure Policy to enforce SQL auditing on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-sql-auditing" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-SQLAuditingPolicyAssignment.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -Verbose - -# Assign Azure Policy to enforce VM Backup on VMs on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-vm-lz-backup" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DINE-VMBackupPolicyAssignment.json ` - -topLevelManagementGroupPrefix "lzVmBackup" ` - -Verbose - -# Assign Azure Policy to enforce TLS/SSL on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-tls-ssl" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json ` - -topLevelManagementGroupPrefix $eslzPrefix ` - -Verbose - -# Assign Azure Policy to enforce AKS clusters to not allow container priv escalation on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-aks-priv-esc" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-AksPrivEscalationPolicyAssignment.json ` - -Verbose - -# Assign Azure Policy to enforce AKS clusters to not allow privileged containers on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-aks-priv-con" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-AksPrivilegedPolicyAssignment.json ` - -Verbose - -# Assign Azure Policy to enforce AKS clusters to not allow traffic over http on the landing zones management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-aks-priv-https" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-landingzones" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-AksWithoutHttpsPolicyAssignment.json ` - -Verbose - -# Assign Azure Policy to prevent usage of public endpoint for Azure PaaS services on the corp landing zone management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-paas-endpoint" ` - -Location $Location ` - -ManagementGroupId "$($ESLZPrefix)-corp" ` - -TemplateFile .\eslzArm\managementGroupTemplates\policyAssignments\DENY-PublicEndpointPolicyAssignment.json ` - -topLevelManagementGroupPrefix $ESLZPrefix ` - -Verbose - -# Add the first corp connected landing zone subscription to Corp management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-corp1" ` - -ManagementGroupId "$($ESLZPrefix)-corp" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\subscriptionOrganization\subscriptionOrganization.json ` - -targetManagementGroupId "$($ESLZPrefix)-corp" ` - -subscriptionId $CorpConnectedLandingZoneSubscriptionId ` - -Verbose - -# Add the first online connected landing zone subscription to Online management group - -New-AzManagementGroupDeployment -Name "$($DeploymentName)-online1" ` - -ManagementGroupId "$($ESLZPrefix)-online" ` - -Location $Location ` - -TemplateFile .\eslzArm\managementGroupTemplates\subscriptionOrganization\subscriptionOrganization.json ` - -targetManagementGroupId "$($ESLZPrefix)-online" ` - -subscriptionId $OnlineLandingZoneSubscriptionId ` - -Verbose -```` +This folder contains the first-party ARM templates for Enterprise-Scale which and are being used when deploying and bootstrapping in the Azure Portal. \ No newline at end of file diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index ffac0cd394..b3e6849917 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -76,6 +76,17 @@ "method": "GET", "path": "locations?api-version=2019-11-01" } + }, + { + "name": "getRegulatoryCompliancePolicies", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "POST", + "path": "providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01", + "body": { + "query": "policyresources | where type == 'microsoft.authorization/policysetdefinitions' | extend metadataCategory=tostring(properties.metadata.category) | extend metadataDeprecated=tostring(properties.metadata.deprecated) | extend displayName=tostring(properties.displayName) | extend description=tostring(properties.description) | where properties.metadata.category =~ 'Regulatory Compliance' | where metadataDeprecated != 'true' | extend valueOutput=pack('displayName', displayName, 'id', id, 'description', description) | project id, name, displayName, description, metadataCategory, valueOutput | project label=displayName, description, value=valueOutput | order by label asc" + } + } } ] }, @@ -137,7 +148,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Platform subscription options", "defaultValue": "Dedicated (recommended)", - "toolTip": "If 'Dedicated (recommended)' is selected, dedicated Subscriptions will be used for deploying connectivity, identity and management resources.", + "toolTip": "If 'Dedicated (recommended)' is selected, dedicated Subscriptions will be used for deploying connectivity, identity and management resources. Select Single for testing purposes where all roles will be deployed in a single subscription.", "constraints": { "allowedValues": [ { @@ -195,6 +206,70 @@ ], "visible": "[equals(steps('core').platformSubscription, 'Single')]" }, + { + "name": "deploySecondaryRegion", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy in a secondary region", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If you select Yes, you will be prompted to deploy resources in an additional region where appropriate.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "denyClassicResources", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent the deployment of classic resources", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent deployment of classic resources which will be retired on 31 August 2024.
Uses the policy Not allowed resource types with parameters including all classic resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "denyVMUnmanagedDisk", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent the deployment of virtual machines and virtual machine scale sets with unmanaged disks", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent deployment of virtual machines and virtual machine scales sets with unmanaged disks.
Uses the policy Audit VMs that do not use managed disks using a Deny override.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "cuaSection", "type": "Microsoft.Common.Section", @@ -244,6 +319,62 @@ }, "bladeTitle": "ALZ - Management Settings", "elements": [ + { + "name": "esPlatformMgmtGroup", + "type": "Microsoft.Common.Section", + "label": "Platform Management Group", + "elements": [ + { + "name": "enforceKvGuardrailsPlat", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enforce Key Vault recommended guardrails", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy Initiative will be assigned to ensure recommended Key Vault policies are enabled.
Uses the custom initiative Enforce recommended guardrails for Azure Key Vault..", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enforceBackupPlat", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enforce Backup and Recovery recommended guardrails", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy Initiative will be assigned to ensure recommended Azure Recovery Services policies are enabled.
Uses the custom initiative Enforce enhanced recovery and backup policies.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ] + }, + { "name": "multiPlatformMgmtSub", "type": "Microsoft.Common.InfoBox", @@ -293,12 +424,41 @@ "subLabel": "Days", "defaultValue": 30, "showStepMarkers": false, - "toolTip": "Select retention days for Azure logs. Default is 30 days.", + "toolTip": "Select retention days for Azure logs. Default is 30 days (free retention period). If you are also deploying Microsoft Sentinel, change this to 90 days (free retention for Sentinel).", "constraints": { "required": false }, "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" }, + { + "name": "archiveLoggingInfo", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "Note: Log Analytics offers two log data plans, Analytics and Basic, that let you reduce log ingestion and retention costs, and archive that let you keep older data at a reduced cost. After deployment, go to the tables menu in the Log Analytics workspace and select the tables you want to archive or set with basic plan.
", + "style": "Info" + } + }, + { + "name": "enableSentinel", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Microsoft Sentinel (configuration required to activate)", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected Sentinel will be enabled on the Log Analytics workspace. Note additional configuration is required to complete Sentinel onboarding.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, { "name": "esMgmtSubSection", "type": "Microsoft.Common.Section", @@ -328,7 +488,7 @@ "visible": true, "constraints": { "allowedValues": "[steps('basics').getSubscriptions.data]", - "required": false + "required": true } } ], @@ -346,32 +506,12 @@ } } }, - { - "name": "enableAgentHealth", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Agent Health solution", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" - }, { "name": "enableChangeTracking", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Change Tracking solution", + "label": "Deploy Change Tracking", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.", "constraints": { "allowedValues": [ { @@ -389,9 +529,9 @@ { "name": "enableUpdateMgmt", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Update Management solution", + "label": "Deploy Azure Update Manager", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.", "constraints": { "allowedValues": [ { @@ -409,89 +549,9 @@ { "name": "enableVmInsights", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy VM Insights solution", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" - }, - { - "name": "enableServiceMap", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Service Map solution", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" - }, - { - "name": "enableSqlAssessment", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy SQL Assessment solution", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" - }, - { - "name": "enableSqlVulnerabilityAssessment", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy SQL Vulnerability Assessment solution", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" - }, - { - "name": "enableSqlAdvancedThreatProtection", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy SQL Advanced Threat Protection solution", + "label": "Deploy VM Insights", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.", "constraints": { "allowedValues": [ { @@ -523,7 +583,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy Microsoft Defender for Cloud and enable security monitoring for your platform and resources", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", + "toolTip": "Selecting 'Yes' will enable the options to configure individual Microsoft Defender for Cloud components, and will enable Microsoft Defender for Cloud plans on all subscriptions in the Azure Landing Zone. If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.", "constraints": { "allowedValues": [ { @@ -542,7 +602,7 @@ "name": "emailContactAsc", "type": "Microsoft.Common.TextBox", "label": "Microsoft Defender for Cloud Email Contact", - "toolTip": "Email address to get email notifications from Azure Security Center", + "toolTip": "Email address to get email notifications from Microsoft Defender for Cloud.", "visible": "[equals(steps('management').enableAsc,'Yes')]", "defaultValue": "", "constraints": { @@ -556,7 +616,27 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for servers", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for all servers.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for all servers.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", + "visible": "[equals(steps('management').enableAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] + } + }, + { + "name": "enableAscForServersVulnerabilityAssessments", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Cloud for servers vulnerability assessments", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud for servers vulnerability assessments will be enabled for all servers.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[equals(steps('management').enableAsc,'Yes')]", "constraints": { "allowedValues": [ @@ -576,7 +656,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for open-source relational databases", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for open-source relational databases.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for open-source relational databases.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]", "constraints": { "allowedValues": [ @@ -596,7 +676,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for Cosmos DB", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Cosmos DB", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Cosmos DB.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]", "constraints": { "allowedValues": [ @@ -616,7 +696,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for AppServices", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for AppServices.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for AppServices.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]", "constraints": { "allowedValues": [ @@ -636,7 +716,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for Storage", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Storage.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Storage.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]", "constraints": { "allowedValues": [ @@ -656,7 +736,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for Azure SQL Database", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Azure SQL Database.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Azure SQL Database.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[equals(steps('management').enableAsc,'Yes')]", "constraints": { "allowedValues": [ @@ -676,7 +756,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for SQL servers on machines", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for SQL servers on machines.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for SQL servers on virtual machines.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]", "constraints": { "allowedValues": [ @@ -696,7 +776,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for Key Vault", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Key Vault.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Key Vault.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'))]", "constraints": { "allowedValues": [ @@ -716,7 +796,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Enable Microsoft Defender for Cloud for Azure Resource Manager", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Resource Manager.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Resource Manager.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]", "constraints": { "allowedValues": [ @@ -732,11 +812,11 @@ } }, { - "name": "enableAscForDns", + "name": "enableAscForApis", "type": "Microsoft.Common.OptionsGroup", - "label": "Enable Microsoft Defender for Cloud for DNS", + "label": "Enable Microsoft Defender for Cloud for APIs", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for APIs.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]", "constraints": { "allowedValues": [ @@ -752,12 +832,12 @@ } }, { - "name": "enableAscForContainers", + "name": "enableAscForCspm", "type": "Microsoft.Common.OptionsGroup", - "label": "Enable Microsoft Defender for Cloud for Containers (Kubernetes and Container Registries)", + "label": "Enable Microsoft Defender CSPM", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Containers (Kubernetes and Container Registries).", - "visible": "[equals(steps('management').enableAsc,'Yes')]", + "toolTip": "If 'Yes' is selected, Microsoft Defender CSPM will be enabled.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", + "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]", "constraints": { "allowedValues": [ { @@ -772,190 +852,211 @@ } }, { - "name": "enableSecuritySolution", + "name": "enableAscForDns", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Microsoft Sentinel", + "label": "Enable Microsoft Defender for Cloud for DNS", "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", + "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]", "constraints": { "allowedValues": [ { "label": "Yes (recommended)", - "value": "Yes" + "value": "DeployIfNotExists" }, { "label": "No", - "value": "No" + "value": "Disabled" } ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" - } - ] - }, - { - "name": "automation", - "label": "Platform DevOps and automation", - "subLabel": {}, - "bladeTitle": "ALZ - Automation Settings", - "elements": [ - { - "name": "automationBlankNote", - "type": "Microsoft.Common.InfoBox", - "visible": true, - "options": { - "text": "Please ensure you have selected a management or platform subscription on the 'Platform management, security, and governance' blade", - "uri": "https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-Platform-DevOps", - "style": "Warning" } }, { - "name": "info", - "type": "Microsoft.Common.InfoBox", - "visible": "[or(not(empty(steps('management').esMgmtSubSection.esMgmtSub)), not(empty(steps('core').singleSubscription.selector)))]", - "options": { - "text": "Azure Landing Zones provides an integrated CI/CD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines.", - "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", - "style": "Info" - } - }, - { - "name": "correction", - "type": "Microsoft.Common.InfoBox", - "visible": "[and(equals(steps('management').enableLogAnalytics, 'No'), not(equals(steps('core').platformSubscription, 'Single')))]", - "options": { - "text": "Azure Landing Zones provides an integrated CI/CD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines, but requires a dedicated subscription for platform management in the previous step. Please add a subscription or continue without setting up the CI/CD integration.", - "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", - "style": "Warning" + "name": "enableAscForContainers", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Microsoft Defender for Cloud for Containers (Kubernetes and Container Registries)", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for Containers (Kubernetes and Container Registries).
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.", + "visible": "[equals(steps('management').enableAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "DeployIfNotExists" + }, + { + "label": "No", + "value": "Disabled" + } + ] } }, { - "name": "enableAzOps", + "name": "enableMDEndpoints", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy integrated CI/CD pipeline?", - "defaultValue": "No", - "toolTip": "", + "label": "Deploy Microsoft Defender for Endpoints", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Microsoft Defender for Endpoints will be deployed to supported virtual machines. You may want to disable this if you are using a third-party endpoint protection solution.
Uses the initiative Deploy Microsoft Defender for Endpoint agent.", "constraints": { "allowedValues": [ { - "label": "Yes", - "value": "Yes" + "label": "Yes (recommended)", + "value": "DeployIfNotExists" }, { "label": "No", - "value": "No" + "value": "Disabled" } - ], - "required": true + ] }, - "visible": "[or(not(empty(steps('management').esMgmtSubSection.esMgmtSub)), not(empty(steps('core').singleSubscription.selector)))]" - }, + "visible": "[equals(steps('management').enableAsc,'Yes')]" + } + ] + }, + { + "name": "monitor", + "label": "Baseline alerts and monitoring", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "ALZ - Baseline Alerts", + "elements": [ { - "name": "Instructions", - "type": "Microsoft.Common.TextBlock", - "visible": "[equals(steps('automation').enableAzOps,'Yes')]", + "name": "baselinealertsintro", + "type": "Microsoft.Common.InfoBox", + "visible": true, "options": { - "text": "Provide the credentials to initialize the repository with the ARM templates for Azure Landing Zones.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" - } + "text": "Azure Landing Zones will create ARM automation to deploy baseline alerts automatically as resources are deployed. Note that selecting Yes to the Option 'Deploy one or more Azure Monitor Baseline Alerts', will automatically import all policies and initiatives and will assign the Deploy Azure Monitor Baseline Alerts for Service Health policy initiative at the intermediate root.", + "uri": "https://aka.ms/amba/alz/docs", + "style": "Info" } }, { - "name": "optionsGroup1", + "name": "enableMonitorBaselines", "type": "Microsoft.Common.OptionsGroup", - "label": "Select CI/CD option", - "defaultValue": "GitHub Actions", - "toolTip": "Azure Landing Zones will provide options for both GitHub Actions and Azure DevOps pipelines. For now, only GitHub Actions is available", + "label": "Deploy one or more Azure Monitor Baseline Alerts", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected Azure Monitor Baseline Alerts can be enabled for the selected resources. Note that choosing Yes will import all Monitor baseline alerts into your environment, and assign the Deploy Azure Monitor Service Health policy initiative to your designated intermediate root. For more information on what is included in the Service Health initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details", "constraints": { "allowedValues": [ { - "label": "GitHub Actions", - "value": "actions" + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" } - ], - "required": true + ] }, - "visible": "[equals(steps('automation').enableAzOps,'Yes')]" + "visible": true }, { - "name": "gitHubUserNameOrOrg", + "name": "monitorAlertsResourceGroup", "type": "Microsoft.Common.TextBox", - "label": "GitHub organization or username", - "toolTip": "Provide Git org/username.", - "visible": "[equals(steps('automation').enableAzOps,'Yes')]", - "defaultValue": "", + "label": "Resource group for baseline alerts", + "toolTip": "Resource group for activity log alerts and action groups. Will be created in all subscriptions in scope for the policy", + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "defaultValue": "rg-amba-monitoring-001", "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z-]{1,39}$", - "validationMessage": "The GitHub org/username must be 1-39 characters." + "required": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "regex": "^[a-zA-Z0-9][a-zA-Z0-9-_.()]{0,89}[a-zA-Z0-9]$", + "validationMessage": "Please provide a valid resource group name" } }, { - "name": "repositoryName", + "name": "emailContactActionGroup", "type": "Microsoft.Common.TextBox", - "label": "New GitHub repository name", - "toolTip": "Provide a name for the new repository that will be created", + "label": "Email contact for action group notifications", + "toolTip": "Email address to get email notifications from alerts", + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", "defaultValue": "", - "visible": "[equals(steps('automation').enableAzOps,'Yes')]", - "placeholder": "", "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z-]{1,100}$", - "validationMessage": "The repository name must be 1-100 characters." + "required": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]", + "regex": "^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", + "validationMessage": "Please provide a valid email address" } }, { - "name": "paToken", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "GitHub personal access token", - "confirmPassword": "Confirm PA Token" - }, - "toolTip": "Provide the personal access token to access your GitHub account or organization. For more information see this link: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token", + "name": "enableMonitorConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Connectivity. ", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Connectivity policy initiative is assigned to the Connectivity management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", "constraints": { - "required": true, - "validationMessage": "Password must be at least 8 characters long, contain only numbers and letters" - }, - "options": { - "hideConfirmation": true + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] }, - "visible": "[equals(steps('automation').enableAzOps,'Yes')]" + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" }, { - "name": "spnSection", - "type": "Microsoft.Common.Section", - "label": "", - "elements": [ - { - "name": "esServicePrincipal", - "type": "Microsoft.Common.ServicePrincipalSelector", - "visible": "[equals(steps('automation').enableAzOps,'Yes')]", - "label": { - "password": "Password", - "certificateThumbprint": "Certificate thumbprint", - "authenticationType": "Authentication Type", - "sectionHeader": "Service Principal" - }, - "toolTip": { - "password": "Provide the application secret as it will be used to authenticate with Azure AD", - "certificateThumbprint": "Certificate thumbprint", - "authenticationType": "Authentication Type" + "name": "enableMonitorIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Identity", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Identity policy initiative is assigned to the Identity management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" }, - "defaultValue": { - "principalId": "", - "name": "" + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" + }, + { + "name": "enableMonitorManagement", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Management", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Management policy initiative is assigned to the Management management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" }, - "constraints": { - "required": true + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" + }, + { + "name": "enableMonitorLandingZones", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Monitor Baseline Alerts for Landing Zones", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Deploy Azure Monitor Baseline Alerts for Landing Zone policy initiative is assigned to the Landing Zones management group. This will ensure that relevant new resources created within that scope are configured with appropriate baseline alerts. For more details on what is included in the initiative please refer to https://aka.ms/amba/alz/wiki under Azure Policy Initiatives and Alert Details.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" }, - "options": { - "hideCertificate": true + { + "label": "No", + "value": "No" } - } - ], - "visible": "[equals(steps('automation').enableAzOps,'Yes')]" + ] + }, + "visible": "[equals(steps('monitor').enableMonitorBaselines,'Yes')]" } ] }, @@ -1016,6 +1117,16 @@ }, "visible": true }, + { + "name": "esNwNVANote", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('connectivity').enableHub, 'nva')]", + "options": { + "text": "For high availability of third-party NVAs please see the guidance: Deploy highly available NVAs", + "uri": "https://learn.microsoft.com/azure/architecture/networking/guide/nva-ha", + "style": "Info" + } + }, { "name": "esNwSubSection", "type": "Microsoft.Common.Section", @@ -1114,7 +1225,7 @@ "label": "Enable DDoS Network Protection", "defaultValue": "Yes (recommended)", "visible": "[not(equals(steps('connectivity').enableHub, 'No'))]", - "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Network Protection will be enabled.", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Network Protection will be enabled on the connectivity virtual network. Please note that DDoS Network Protection does incur additional costs that need to be considered, for more information: DDoS Network Protection pricing.", "constraints": { "allowedValues": [ { @@ -1134,7 +1245,7 @@ "label": "Create Private DNS Zones for Azure PaaS services", "defaultValue": "Yes (recommended)", "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'nva'))]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create Private DNS Zones for Azure PaaS services", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create Private DNS Zones for Azure PaaS services based on your selection below", "constraints": { "allowedValues": [ { @@ -1149,309 +1260,544 @@ } }, { - "name": "enableVpnGw", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy VPN Gateway", - "defaultValue": "No", - "visible": "[not(equals(steps('connectivity').enableHub, 'No'))]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", - "constraints": { - "allowedValues": [ - { - "label": "Yes", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - } - }, - { - "name": "gwRegionalOrAz", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy zone redundant or regional VPN Gateway", - "defaultValue": "Zone redundant (recommended)", - "visible": "[and(and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation))]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", - "constraints": { - "allowedValues": [ - { - "label": "Zone redundant (recommended)", - "value": "Zone" - }, - { - "label": "Regional", - "value": "Regional" - } - ] - } - }, - { - "name": "esGwNoAzSku", - "type": "Microsoft.Common.DropDown", - "label": "Select the VPN Gateway SKU", - "defaultValue": "", - "multiselect": false, - "selectAll": false, - "filter": false, - "multiLine": true, - "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), not(contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation)))]", - "toolTip": "Select the required SKU for the VPN gateway.", - "constraints": { - "allowedValues": [ - { - "label": "VpnGw2", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", - "value": "VpnGw2" - }, - { - "label": "VpnGw3", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", - "value": "VpnGw3" - }, - { - "label": "VpnGw4", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", - "value": "VpnGw4" - }, - { - "label": "VpnGw5", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", - "value": "VpnGw5" - } - ] - } - }, - { - "name": "gwAzSku", + "name": "privateDnsZones", "type": "Microsoft.Common.DropDown", - "label": "Select the VPN Gateway SKU", - "defaultValue": "", - "multiselect": false, - "selectAll": false, - "filter": false, + "label": "Select Private DNS Zones to create", + "multiselect": true, + "selectAll": true, + "filter": true, "multiLine": true, - "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), equals(steps('connectivity').gwRegionalOrAz, 'Zone') ,contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation))]", - "toolTip": "Select the required SKU for the VPN gateway.", - "constraints": { - "allowedValues": [ - { - "label": "VpnGw2AZ", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", - "value": "VpnGw2AZ" - }, - { - "label": "VpnGw3AZ", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", - "value": "VpnGw3AZ" - }, - { - "label": "VpnGw4AZ", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", - "value": "VpnGw4AZ" - }, - { - "label": "VpnGw5AZ", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", - "value": "VpnGw5AZ" - } - ] - } - }, - { - "name": "gwRegionalSku", - "type": "Microsoft.Common.DropDown", - "label": "Select the VPN Gateway SKU", - "defaultValue": "", - "multiselect": false, - "selectAll": false, - "filter": false, - "multiLine": true, - "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), equals(steps('connectivity').gwRegionalOrAz, 'Regional') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('connectivity').connectivityLocation))]", - "toolTip": "Select the required SKU for the VPN gateway.", + "defaultValue": [ + { + "value": "privatelink.regionGeoShortCode.backup.windowsazure.com" + }, + { + "value": "[format('privatelink.{0}.azmk8s.io', toLower(steps('connectivity').connectivityLocation))]" + }, + { + "value": "[format('privatelink.{0}.batch.azure.com', toLower(steps('connectivity').connectivityLocation))]" + }, + { + "value": "[format('privatelink.{0}.kusto.windows.net', toLower(steps('connectivity').connectivityLocation))]" + }, + { + "value": "privatelink.adf.azure.com" + }, + { + "value": "privatelink.afs.azure.net" + }, + { + "value": "privatelink.agentsvc.azure-automation.net" + }, + { + "value": "privatelink.analysis.windows.net" + }, + { + "value": "privatelink.api.azureml.ms" + }, + { + "value": "privatelink.azconfig.io" + }, + { + "value": "privatelink.azure-api.net" + }, + { + "value": "privatelink.azure-automation.net" + }, + { + "value": "privatelink.azurecr.io" + }, + { + "value": "privatelink.azure-devices.net" + }, + { + "value": "privatelink.azure-devices-provisioning.net" + }, + { + "value": "privatelink.azuredatabricks.net" + }, + { + "value": "privatelink.azurehdinsight.net" + }, + { + "value": "privatelink.azurehealthcareapis.com" + }, + { + "value": "privatelink.azureiotcentral.com" + }, + { + "value": "privatelink.azurestaticapps.net" + }, + { + "value": "privatelink.azuresynapse.net" + }, + { + "value": "privatelink.azurewebsites.net" + }, + { + "value": "privatelink.batch.azure.com" + }, + { + "value": "privatelink.blob.core.windows.net" + }, + { + "value": "privatelink.cassandra.cosmos.azure.com" + }, + { + "value": "privatelink.cognitiveservices.azure.com" + }, + { + "value": "privatelink.database.windows.net" + }, + { + "value": "privatelink.datafactory.azure.net" + }, + { + "value": "privatelink.dev.azuresynapse.net" + }, + { + "value": "privatelink.dfs.core.windows.net" + }, + { + "value": "privatelink.dicom.azurehealthcareapis.com" + }, + { + "value": "privatelink.digitaltwins.azure.net" + }, + { + "value": "privatelink.directline.botframework.com" + }, + { + "value": "privatelink.documents.azure.com" + }, + { + "value": "privatelink.dp.kubernetesconfiguration.azure.com" + }, + { + "value": "privatelink.eventgrid.azure.net" + }, + { + "value": "privatelink.file.core.windows.net" + }, + { + "value": "privatelink.grafana.azure.com" + }, + { + "value": "privatelink.gremlin.cosmos.azure.com" + }, + { + "value": "privatelink.guestconfiguration.azure.com" + }, + { + "value": "privatelink.his.arc.azure.com" + }, + { + "value": "privatelink.kubernetesconfiguration.azure.com" + }, + { + "value": "privatelink.managedhsm.azure.net" + }, + { + "value": "privatelink.mariadb.database.azure.com" + }, + { + "value": "privatelink.media.azure.net" + }, + { + "value": "privatelink.mongo.cosmos.azure.com" + }, + { + "value": "privatelink.monitor.azure.com" + }, + { + "value": "privatelink.mysql.database.azure.com" + }, + { + "value": "privatelink.notebooks.azure.net" + }, + { + "value": "privatelink.ods.opinsights.azure.com" + }, + { + "value": "privatelink.oms.opinsights.azure.com" + }, + { + "value": "privatelink.pbidedicated.windows.net" + }, + { + "value": "privatelink.postgres.database.azure.com" + }, + { + "value": "privatelink.prod.migration.windowsazure.com" + }, + { + "value": "privatelink.purview.azure.com" + }, + { + "value": "privatelink.purviewstudio.azure.com" + }, + { + "value": "privatelink.queue.core.windows.net" + }, + { + "value": "privatelink.redis.cache.windows.net" + }, + { + "value": "privatelink.redisenterprise.cache.azure.net" + }, + { + "value": "privatelink.search.windows.net" + }, + { + "value": "privatelink.service.signalr.net" + }, + { + "value": "privatelink.servicebus.windows.net" + }, + { + "value": "privatelink.siterecovery.windowsazure.com" + }, + { + "value": "privatelink.sql.azuresynapse.net" + }, + { + "value": "privatelink.table.core.windows.net" + }, + { + "value": "privatelink.table.cosmos.azure.com" + }, + { + "value": "privatelink.tip1.powerquery.microsoft.com" + }, + { + "value": "privatelink.token.botframework.com" + }, + { + "value": "privatelink.vaultcore.azure.net" + }, + { + "value": "privatelink.web.core.windows.net" + }, + { + "value": "privatelink.webpubsub.azure.com" + }, + { + "value": "privatelink.wvd.microsoft.com" + }, + { + "value" : "privatelink-global.wvd.microsoft.com" + } + ], + "visible": "[and(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enablePrivateDnsZones,'No')))]", + "toolTip": "Select each Private DNS Zone to create which will offer DNS integration with Azure PaaS services where you enable private endpoints.", "constraints": { "allowedValues": [ { - "label": "VpnGw2", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", - "value": "VpnGw2" + "label": "privatelink.regionGeoShortCode.backup.windowsazure.com", + "value": "privatelink.regionGeoShortCode.backup.windowsazure.com", + "description": "This Private DNS Zone contains an Azure Region's geo short code (e.g. 'uksouth' is 'uks' - list available here) that is based on the region selected above for your hub." }, { - "label": "VpnGw3", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", - "value": "VpnGw3" + "label": "privatelink.region.azmk8s.io", + "value": "[format('privatelink.{0}.azmk8s.io', toLower(steps('connectivity').connectivityLocation))]", + "description": "This Private DNS Zone contains the Azure Region's short name (e.g. 'uksouth') that is based on the region selected above for your hub." }, { - "label": "VpnGw4", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", - "value": "VpnGw4" + "label": "privatelink.region.batch.azure.com", + "value": "[format('privatelink.{0}.batch.azure.com', toLower(steps('connectivity').connectivityLocation))]", + "description": "This Private DNS Zone contains the Azure Region's short name (e.g. 'uksouth') that is based on the region selected above for your hub." }, { - "label": "VpnGw5", - "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", - "value": "VpnGw5" - } - ] - } - }, - { - "name": "vpnGateWayScaleUnit", - "type": "Microsoft.Common.DropDown", - "label": "Select the VPN Gateway scale unit", - "defaultValue": "", - "multiselect": false, - "selectAll": false, - "filter": false, - "multiLine": true, - "visible": "[and(equals(steps('connectivity').enableVpnGw, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", - "toolTip": "Select the VPN Gateway scale unit", - "constraints": { - "allowedValues": [ + "label": "privatelink.region.kusto.windows.net", + "value": "[format('privatelink.{0}.kusto.windows.net', toLower(steps('connectivity').connectivityLocation))]", + "description": "This Private DNS Zone contains the Azure Region's short name (e.g. 'uksouth') that is based on the region selected above for your hub." + }, { - "label": "1 scale unit", - "description": "Supports 500 Mbps x2", - "value": "1" + "label": "privatelink.adf.azure.com", + "value": "privatelink.adf.azure.com" }, { - "label": "2 scale units", - "description": "Supports 1 Gbps x 2", - "value": "2" + "label": "privatelink.afs.azure.net", + "value": "privatelink.afs.azure.net" }, { - "label": "3 scale units", - "description": "Supports 1.5 Gbps x 2", - "value": "3" + "label": "privatelink.agentsvc.azure-automation.net", + "value": "privatelink.agentsvc.azure-automation.net" }, { - "label": "4 scale units", - "description": "Supports 2 Gbps x 2", - "value": "4" + "label": "privatelink.analysis.windows.net", + "value": "privatelink.analysis.windows.net" }, { - "label": "5 scale units", - "description": "Supports 2.5 Gbps x 2", - "value": "5" + "label": "privatelink.api.azureml.ms", + "value": "privatelink.api.azureml.ms" }, { - "label": "6 scale units", - "description": "Supports 3 Gbps x 2", - "value": "6" + "label": "privatelink.azconfig.io", + "value": "privatelink.azconfig.io" }, { - "label": "7 scale units", - "description": "Supports 3.5 Gbps x 2", - "value": "7" + "label": "privatelink.azure-api.net", + "value": "privatelink.azure-api.net" }, { - "label": "8 scale units", - "description": "Supports 4 Gbps x 2", - "value": "8" + "label": "privatelink.azure-automation.net", + "value": "privatelink.azure-automation.net" }, { - "label": "9 scale units", - "description": "Supports 4.5 Gbps x 2", - "value": "9" + "label": "privatelink.azurecr.io", + "value": "privatelink.azurecr.io" }, { - "label": "10 scale units", - "description": "Supports 5 Gbps x 2", - "value": "10" + "label": "privatelink.azure-devices.net", + "value": "privatelink.azure-devices.net" }, { - "label": "11 scale units", - "description": "Supports 5.5 Gbps x 2", - "value": "11" + "label": "privatelink.azure-devices-provisioning.net", + "value": "privatelink.azure-devices-provisioning.net" }, { - "label": "12 scale units", - "description": "Supports 6 Gbps x 2", - "value": "12" + "label": "privatelink.azuredatabricks.net", + "value": "privatelink.azuredatabricks.net" }, { - "label": "13 scale units", - "description": "Supports 6.5 Gbps x 2", - "value": "13" + "label": "privatelink.azurehdinsight.net", + "value": "privatelink.azurehdinsight.net" }, { - "label": "14 scale units", - "description": "Supports 7 Gbps x 2", - "value": "14" + "label": "privatelink.azurehealthcareapis.com", + "value": "privatelink.azurehealthcareapis.com" }, { - "label": "15 scale units", - "description": "Supports 7.5 Gbps x 2", - "value": "15" + "label": "privatelink.azureiotcentral.com", + "value": "privatelink.azureiotcentral.com" }, { - "label": "16 scale units", - "description": "Supports 8 Gbps x 2", - "value": "16" + "label": "privatelink.azurestaticapps.net", + "value": "privatelink.azurestaticapps.net" }, { - "label": "17 scale units", - "description": "Supports 8.5 Gbps x 2", - "value": "17" + "label": "privatelink.azuresynapse.net", + "value": "privatelink.azuresynapse.net" }, { - "label": "18 scale units", - "description": "Supports 9 Gbps x 2", - "value": "18" + "label": "privatelink.azurewebsites.net", + "value": "privatelink.azurewebsites.net" }, { - "label": "19 scale units", - "description": "Supports 9.5 Gbps x 2", - "value": "19" + "label": "privatelink.batch.azure.com", + "value": "privatelink.batch.azure.com" }, { - "label": "20 scale units", - "description": "Supports 10 Gbps x 2", - "value": "20" - } - ] - } - }, - { - "name": "subnetMaskForGw", - "type": "Microsoft.Common.TextBox", - "label": "Subnet for VPN/ExpressRoute Gateways", - "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.1.0/24)", - "defaultValue": "10.100.1.0/24", - "visible": "[and(not(equals(steps('connectivity').enableHub, 'vwan')), or(equals(steps('connectivity').enableErGw, 'Yes'),equals(steps('connectivity').enableVpnGw, 'Yes')))]", - "constraints": { - "required": true, - "validations": [ + "label": "privatelink.blob.core.windows.net", + "value": "privatelink.blob.core.windows.net" + }, { - "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-7]))$", - "message": "Invalid CIDR range. The address prefix must be in the range [20,27]." + "label": "privatelink.cassandra.cosmos.azure.com", + "value": "privatelink.cassandra.cosmos.azure.com" }, { - "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').subnetMaskForGw, '/')), '.'), 1))), true)]", - "message": "CIDR range not within virtual network CIDR range (first octet)." + "label": "privatelink.cognitiveservices.azure.com", + "value": "privatelink.cognitiveservices.azure.com" }, { - "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').subnetMaskForGw, '/')), '.'), 2))), true)]", - "message": "CIDR range not within virtual network CIDR range (second octet)." + "label": "privatelink.database.windows.net", + "value": "privatelink.database.windows.net" }, { - "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').subnetMaskForGw, '/')), '.'), 3))), true)]", - "message": "CIDR range not within virtual network CIDR range (third octet)." + "label": "privatelink.datafactory.azure.net", + "value": "privatelink.datafactory.azure.net" }, { - "isValid": "[lessOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), last(split(steps('connectivity').subnetMaskForGw, '/')))]", - "message": "CIDR range not within virtual network CIDR range (subnet mask)." + "label": "privatelink.dev.azuresynapse.net", + "value": "privatelink.dev.azuresynapse.net" + }, + { + "label": "privatelink.dfs.core.windows.net", + "value": "privatelink.dfs.core.windows.net" + }, + { + "label": "privatelink.dicom.azurehealthcareapis.com", + "value": "privatelink.dicom.azurehealthcareapis.com" + }, + { + "label": "privatelink.digitaltwins.azure.net", + "value": "privatelink.digitaltwins.azure.net" + }, + { + "label": "privatelink.directline.botframework.com", + "value": "privatelink.directline.botframework.com" + }, + { + "label": "privatelink.documents.azure.com", + "value": "privatelink.documents.azure.com" + }, + { + "label": "privatelink.dp.kubernetesconfiguration.azure.com", + "value": "privatelink.dp.kubernetesconfiguration.azure.com" + }, + { + "label": "privatelink.eventgrid.azure.net", + "value": "privatelink.eventgrid.azure.net" + }, + { + "label": "privatelink.file.core.windows.net", + "value": "privatelink.file.core.windows.net" + }, + { + "label": "privatelink.grafana.azure.com", + "value": "privatelink.grafana.azure.com" + }, + { + "label": "privatelink.gremlin.cosmos.azure.com", + "value": "privatelink.gremlin.cosmos.azure.com" + }, + { + "label": "privatelink.guestconfiguration.azure.com", + "value": "privatelink.guestconfiguration.azure.com" + }, + { + "label": "privatelink.his.arc.azure.com", + "value": "privatelink.his.arc.azure.com" + }, + { + "label": "privatelink.kubernetesconfiguration.azure.com", + "value": "privatelink.kubernetesconfiguration.azure.com" + }, + { + "label": "privatelink.managedhsm.azure.net", + "value": "privatelink.managedhsm.azure.net" + }, + { + "label": "privatelink.mariadb.database.azure.com", + "value": "privatelink.mariadb.database.azure.com" + }, + { + "label": "privatelink.media.azure.net", + "value": "privatelink.media.azure.net" + }, + { + "label": "privatelink.mongo.cosmos.azure.com", + "value": "privatelink.mongo.cosmos.azure.com" + }, + { + "label": "privatelink.monitor.azure.com", + "value": "privatelink.monitor.azure.com" + }, + { + "label": "privatelink.mysql.database.azure.com", + "value": "privatelink.mysql.database.azure.com" + }, + { + "label": "privatelink.notebooks.azure.net", + "value": "privatelink.notebooks.azure.net" + }, + { + "label": "privatelink.ods.opinsights.azure.com", + "value": "privatelink.ods.opinsights.azure.com" + }, + { + "label": "privatelink.oms.opinsights.azure.com", + "value": "privatelink.oms.opinsights.azure.com" + }, + { + "label": "privatelink.pbidedicated.windows.net", + "value": "privatelink.pbidedicated.windows.net" + }, + { + "label": "privatelink.postgres.database.azure.com", + "value": "privatelink.postgres.database.azure.com" + }, + { + "label": "privatelink.prod.migration.windowsazure.com", + "value": "privatelink.prod.migration.windowsazure.com" + }, + { + "label": "privatelink.purview.azure.com", + "value": "privatelink.purview.azure.com" + }, + { + "label": "privatelink.purviewstudio.azure.com", + "value": "privatelink.purviewstudio.azure.com" + }, + { + "label": "privatelink.queue.core.windows.net", + "value": "privatelink.queue.core.windows.net" + }, + { + "label": "privatelink.redis.cache.windows.net", + "value": "privatelink.redis.cache.windows.net" + }, + { + "label": "privatelink.redisenterprise.cache.azure.net", + "value": "privatelink.redisenterprise.cache.azure.net" + }, + { + "label": "privatelink.search.windows.net", + "value": "privatelink.search.windows.net" + }, + { + "label": "privatelink.service.signalr.net", + "value": "privatelink.service.signalr.net" + }, + { + "label": "privatelink.servicebus.windows.net", + "value": "privatelink.servicebus.windows.net" + }, + { + "label": "privatelink.siterecovery.windowsazure.com", + "value": "privatelink.siterecovery.windowsazure.com" + }, + { + "label": "privatelink.sql.azuresynapse.net", + "value": "privatelink.sql.azuresynapse.net" + }, + { + "label": "privatelink.table.core.windows.net", + "value": "privatelink.table.core.windows.net" + }, + { + "label": "privatelink.table.cosmos.azure.com", + "value": "privatelink.table.cosmos.azure.com" + }, + { + "label": "privatelink.tip1.powerquery.microsoft.com", + "value": "privatelink.tip1.powerquery.microsoft.com" + }, + { + "label": "privatelink.token.botframework.com", + "value": "privatelink.token.botframework.com" + }, + { + "label": "privatelink.vaultcore.azure.net", + "value": "privatelink.vaultcore.azure.net" + }, + { + "label": "privatelink.web.core.windows.net", + "value": "privatelink.web.core.windows.net" + }, + { + "label": "privatelink.webpubsub.azure.com", + "value": "privatelink.webpubsub.azure.com" + }, + { + "label": "privatelink.wvd.microsoft.com", + "value": "privatelink.wvd.microsoft.com" + }, + { + "label": "privatelink-global.wvd.microsoft.com", + "value": "privatelink-global.wvd.microsoft.com" } ] } }, { - "name": "enableErGw", + "name": "enableVpnGw", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy ExpressRoute Gateway", + "label": "Deploy VPN Gateway", "defaultValue": "No", "visible": "[not(equals(steps('connectivity').enableHub, 'No'))]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", "constraints": { "allowedValues": [ { @@ -1466,12 +1812,12 @@ } }, { - "name": "erRegionalOrAz", + "name": "gwRegionalOrAz", "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy zone redundant or regional ExpressRoute Gateway", + "label": "Deploy zone redundant or regional VPN Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').enableErGw,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation))]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "visible": "[and(and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ { @@ -1486,331 +1832,293 @@ } }, { - "name": "erAzSku", + "name": "enableVpnActiveActive", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableVpnGw,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').enableVpnGw,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwNoAzSku", "type": "Microsoft.Common.DropDown", - "label": "Select the ExpressRoute Gateway SKU", + "label": "Select the VPN Gateway SKU", "defaultValue": "", "multiselect": false, "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').enableErGw,'Yes'), equals(steps('connectivity').erRegionalOrAz, 'Zone'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation))]", - "toolTip": "Select the required SKU for the Express Route gateway.", + "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), not(contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation)))]", + "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ { - "label": "ErGw1AZ", - "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", - "value": "ErGw1AZ" + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" }, { - "label": "ErGw2AZ", - "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", - "value": "ErGw2AZ" + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" }, { - "label": "ErGw3AZ", - "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", - "value": "ErGw3AZ" + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" } ] } }, { - "name": "erRegionalSku", + "name": "gwAzSku", "type": "Microsoft.Common.DropDown", - "label": "Select the ExpressRoute Gateway SKU", + "label": "Select the VPN Gateway SKU", "defaultValue": "", "multiselect": false, "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableErGw,'Yes'), equals(steps('connectivity').erRegionalOrAz, 'Regional'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation))]", - "toolTip": "Select the required SKU for the Express Route gateway.", + "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), equals(steps('connectivity').gwRegionalOrAz, 'Zone') ,contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation))]", + "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ { - "label": "Standard", - "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", - "value": "Standard" + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" }, { - "label": "HighPerformance", - "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", - "value": "HighPerformance" + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" }, { - "label": "UltraPerformance", - "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", - "value": "UltraPerformance" + "label": "VpnGw4AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" } ] } }, { - "name": "esErNoAzSku", + "name": "gwRegionalSku", "type": "Microsoft.Common.DropDown", - "label": "Select the ExpressRoute Gateway SKU", + "label": "Select the VPN Gateway SKU", "defaultValue": "", "multiselect": false, "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').enableErGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('connectivity').connectivityLocation)))]", - "toolTip": "Select the required SKU for the Express Route gateway.", + "visible": "[and(and(equals(steps('connectivity').enableVpnGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableVpnGw,'Yes'), equals(steps('connectivity').gwRegionalOrAz, 'Regional'))]", + "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ { - "label": "Standard", - "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", - "value": "Standard" + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" }, { - "label": "HighPerformance", - "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", - "value": "HighPerformance" + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" }, { - "label": "UltraPerformance", - "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", - "value": "UltraPerformance" + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" } ] } }, { - "name": "expressRouteScaleUnit", + "name": "vpnGateWayScaleUnit", "type": "Microsoft.Common.DropDown", - "label": "Select the ExpressRoute Gateway scale unit", + "label": "Select the VPN Gateway scale unit", "defaultValue": "", "multiselect": false, "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(equals(steps('connectivity').enableErGw, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", - "toolTip": "Select the ExpressRoute Gateway scale unit", + "visible": "[and(equals(steps('connectivity').enableVpnGw, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "Select the VPN Gateway scale unit", "constraints": { "allowedValues": [ { "label": "1 scale unit", - "description": "Supports 2 Gbps", + "description": "Supports 500 Mbps x2", "value": "1" }, { "label": "2 scale units", - "description": "Supports 4 Gbps", + "description": "Supports 1 Gbps x 2", "value": "2" }, { "label": "3 scale units", - "description": "Supports 6 Gbps", + "description": "Supports 1.5 Gbps x 2", "value": "3" }, { "label": "4 scale units", - "description": "Supports 8 Gbps", + "description": "Supports 2 Gbps x 2", "value": "4" }, { "label": "5 scale units", - "description": "Supports 10 Gbps", + "description": "Supports 2.5 Gbps x 2", "value": "5" }, { "label": "6 scale units", - "description": "Supports 12 Gbps", + "description": "Supports 3 Gbps x 2", "value": "6" }, { "label": "7 scale units", - "description": "Supports 14 Gbps", + "description": "Supports 3.5 Gbps x 2", "value": "7" }, { "label": "8 scale units", - "description": "Supports 16 Gbps", + "description": "Supports 4 Gbps x 2", "value": "8" }, { "label": "9 scale units", - "description": "Supports 18 Gbps", + "description": "Supports 4.5 Gbps x 2", "value": "9" }, { "label": "10 scale units", - "description": "Supports 20 Gbps", + "description": "Supports 5 Gbps x 2", "value": "10" - } - ] - } - }, - { - "name": "enableAzFw", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Azure Firewall", - "defaultValue": "Yes (recommended)", - "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan'))]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", - "constraints": { - "allowedValues": [ + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "11 scale units", + "description": "Supports 5.5 Gbps x 2", + "value": "11" }, { - "label": "No", - "value": "No" - } - ] - } - }, - { - "name": "enableAzFwDnsProxy", - "type": "Microsoft.Common.OptionsGroup", - "label": "Enable Azure Firewall as a DNS proxy", - "defaultValue": "No", - "visible": "[equals(steps('connectivity').enableAzFw, 'Yes')]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", - "constraints": { - "allowedValues": [ + "label": "12 scale units", + "description": "Supports 6 Gbps x 2", + "value": "12" + }, { - "label": "Yes", - "value": "Yes" + "label": "13 scale units", + "description": "Supports 6.5 Gbps x 2", + "value": "13" }, { - "label": "No", - "value": "No" - } - ] - } - }, - { - "name": "firewallSku", - "type": "Microsoft.Common.DropDown", - "label": "Select Azure Firewall tier", - "defaultValue": "Premium", - "multiselect": false, - "selectAll": false, - "filter": false, - "multiLine": true, - "visible": "[equals(steps('connectivity').enableAzFw, 'Yes')]", - "toolTip": "Select Azure Firewall tier", - "constraints": { - "allowedValues": [ + "label": "14 scale units", + "description": "Supports 7 Gbps x 2", + "value": "14" + }, { - "label": "Standard", - "description": "Standard Azure Firewall", - "value": "Standard" + "label": "15 scale units", + "description": "Supports 7.5 Gbps x 2", + "value": "15" }, { - "label": "Premium", - "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", - "value": "Premium" - } - ] - } - }, - { - "name": "firewallZones", - "type": "Microsoft.Common.DropDown", - "label": "Select Availability Zones for the Azure Firewall", - "defaultValue": "None", - "multiselect": true, - "selectAll": true, - "filter": true, - "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').enableAzFw,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia', ','), steps('connectivity').connectivityLocation)), false)]", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", - "constraints": { - "allowedValues": [ + "label": "16 scale units", + "description": "Supports 8 Gbps x 2", + "value": "16" + }, { - "label": "Zone 1", - "value": "1" + "label": "17 scale units", + "description": "Supports 8.5 Gbps x 2", + "value": "17" }, { - "label": "Zone 2", - "value": "2" + "label": "18 scale units", + "description": "Supports 9 Gbps x 2", + "value": "18" }, { - "label": "Zone 3", - "value": "3" + "label": "19 scale units", + "description": "Supports 9.5 Gbps x 2", + "value": "19" + }, + { + "label": "20 scale units", + "description": "Supports 10 Gbps x 2", + "value": "20" } ] } }, { - "name": "subnetMaskForAzFw", + "name": "subnetMaskForGw", "type": "Microsoft.Common.TextBox", - "label": "Subnet for Azure Firewall", - "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/24)", - "defaultValue": "10.100.0.0/24", - "visible": "[and(equals(steps('connectivity').enableAzFw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "label": "Subnet for VPN/ExpressRoute Gateways", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.1.0/24)", + "defaultValue": "10.100.1.0/24", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'vwan')), or(equals(steps('connectivity').enableErGw, 'Yes'),equals(steps('connectivity').enableVpnGw, 'Yes')))]", "constraints": { "required": true, "validations": [ { - "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", - "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-7]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,27]." }, { - "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 1))), true)]", + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').subnetMaskForGw, '/')), '.'), 1))), true)]", "message": "CIDR range not within virtual network CIDR range (first octet)." }, { - "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 2))), true)]", + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').subnetMaskForGw, '/')), '.'), 2))), true)]", "message": "CIDR range not within virtual network CIDR range (second octet)." }, { - "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 3))), true)]", + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').subnetMaskForGw, '/')), '.'), 3))), true)]", "message": "CIDR range not within virtual network CIDR range (third octet)." }, { - "isValid": "[lessOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), last(split(steps('connectivity').subnetMaskForAzFw, '/')))]", + "isValid": "[lessOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), last(split(steps('connectivity').subnetMaskForGw, '/')))]", "message": "CIDR range not within virtual network CIDR range (subnet mask)." } ] } - } - ] - }, - { - "name": "identity", - "label": "Identity", - "subLabel": { - "preValidation": "", - "postValidation": "" - }, - "bladeTitle": "ALZ - Identity Settings", - "elements": [ - { - "name": "multiPlatformIdentitySub", - "type": "Microsoft.Common.InfoBox", - "visible": "[not(equals(steps('core').platformSubscription, 'Single'))]", - "options": { - "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", - "style": "Info" - } }, { - "name": "singlePlatformIdentitySub", - "type": "Microsoft.Common.InfoBox", - "visible": "[equals(steps('core').platformSubscription, 'Single')]", - "options": { - "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", - "style": "Info" - } - }, - { - "name": "esIdentity", + "name": "enableErGw", "type": "Microsoft.Common.OptionsGroup", - "label": "Assign recommended policies to govern identity and domain controllers", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "label": "Deploy ExpressRoute Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('connectivity').enableHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", + "label": "Yes", "value": "Yes" }, { @@ -1818,213 +2126,194 @@ "value": "No" } ] - }, - "visible": true - }, - { - "name": "esIdentitySubSection", - "type": "Microsoft.Common.Section", - "label": "Identity subscription", - "elements": [ - { - "name": "esIdentitySubUniqueWarning", - "type": "Microsoft.Common.InfoBox", - "visible": true, - "options": { - "text": "Ensure you select a subscription that is dedicated/unique for Identity. Selecting the same Subscription here for Management or Connectivity will result in a deployment failure. If you want to use a single Subscription for all platform resources, select 'Single' on the 'Azure Core Setup' blade.", - "uri": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions#organization-and-governance-design-considerations", - "style": "Warning" - } - }, - { - "name": "esIdentitySub", - "type": "Microsoft.Common.DropDown", - "label": "Identity subscription", - "defaultValue": "[parse('[]')]", - "toolTip": "", - "multiselect": false, - "selectAll": false, - "filter": true, - "filterPlaceholder": "Filter subscriptions...", - "multiLine": true, - "visible": true, - "constraints": { - "allowedValues": "[steps('basics').getSubscriptions.data]", - "required": true - } - } - ], - "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" - }, - { - "name": "identitypolicies", - "type": "Microsoft.Common.TextBlock", - "visible": "[equals(steps('identity').esIdentity,'Yes')]", - "options": { - "text": "Select which of the the recommended policies you will assign to your identity management group.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" - } } }, { - "name": "denyRdpForIdentity", + "name": "erRegionalOrAz", "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent inbound RDP from internet", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "label": "Deploy zone redundant or regional ExpressRoute Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').enableErGw,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "Zone redundant (recommended)", + "value": "Zone" }, { - "label": "No", - "value": "No" + "label": "Regional", + "value": "Regional" } ] - }, - "visible": "[equals(steps('identity').esIdentity,'Yes')]" + } }, { - "name": "denySubnetWithoutNsgForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure subnets are associated with NSG", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "name": "erAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').enableErGw,'Yes'), equals(steps('connectivity').erRegionalOrAz, 'Zone'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation))]", + "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('identity').esIdentity,'Yes')]" - }, - { - "name": "denyPipForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent usage of public IP", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" }, { - "label": "No", - "value": "No" + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" } ] - }, - "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" + } }, { - "name": "enableVmBackupForIdentity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "name": "erRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').enableErGw,'Yes'), equals(steps('connectivity').erRegionalOrAz, 'Regional'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation))]", + "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" }, { - "label": "No", - "value": "No" + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" } ] - }, - "visible": "[equals(steps('identity').esIdentity,'Yes')]" + } }, { - "name": "esIdentityConnectivity", - "type": "Microsoft.Common.OptionsGroup", - "label": "Create virtual network and connect to the connectivity hub (optional)?", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "name": "esErNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').enableErGw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').enableErGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('connectivity').connectivityLocation)))]", + "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" }, { - "label": "No", - "value": "No" + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" } ] - }, - "visible": "[and(and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single'))), equals(steps('identity').esIdentity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + } }, { - "name": "identityAddressPrefix", - "type": "Microsoft.Common.TextBox", - "label": "Virtual network address space", - "placeholder": "", - "defaultValue": "10.110.0.0/24", - "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "name": "expressRouteScaleUnit", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('connectivity').enableErGw, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "Select the ExpressRoute Gateway scale unit", "constraints": { - "required": true, - "validations": [ + "allowedValues": [ { - "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-9]))$", - "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." + "label": "1 scale unit", + "description": "Supports 2 Gbps", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 4 Gbps", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 6 Gbps", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 8 Gbps", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 10 Gbps", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 12 Gbps", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 14 Gbps", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 16 Gbps", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 18 Gbps", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 20 Gbps", + "value": "10" } ] - }, - "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" - } - ] - }, - { - "name": "landingZones", - "label": "Landing zones configuration", - "subLabel": { - "preValidation": "", - "postValidation": "" - }, - "bladeTitle": "ALZ - Landing Zones Settings", - "elements": [ - { - "name": "infoBox1", - "type": "Microsoft.Common.InfoBox", - "visible": true, - "options": { - "text": "You can optionally provide subscriptions for your first landing zones for both 'online' and 'corp' and assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", - "style": "Info" - } - }, - { - "name": "corpText", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "Select the subscriptions you want to move to corp management group.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" - } } }, { - "name": "esLzConnectivity", + "name": "enableAzFw", "type": "Microsoft.Common.OptionsGroup", - "label": "Connect corp landing zones to the connectivity hub (optional)?", - "defaultValue": "No", - "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", "constraints": { "allowedValues": [ { @@ -2036,213 +2325,155 @@ "value": "No" } ] - }, - "visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]" + } }, { - "name": "esCorpLzSub", + "name": "firewallSku", "type": "Microsoft.Common.DropDown", - "label": "Corp landing zone subscriptions (optional)", - "defaultValue": "[parse('[]')]", - "toolTip": "", - "multiselect": true, - "selectAll": true, - "filter": true, - "filterPlaceholder": "Filter items ...", + "label": "Select Azure Firewall tier", + "defaultValue": "Premium", + "multiselect": false, + "selectAll": false, + "filter": false, "multiLine": true, - "visible": "[or(or(equals(steps('landingZones').esLzConnectivity, 'No'), equals(steps('connectivity').enableHub, 'No')), equals(steps('connectivity').enableHub, 'vwan'), equals(steps('landingZones').esLzConnectivity, 'No'))]", - "constraints": { - "allowedValues": "[steps('basics').getSubscriptions.data]", - "required": false - } - }, - { - "name": "lzConnectedSubs", - "type": "Microsoft.Common.EditableGrid", - "ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering", - "label": "Corp connected landing zone subscriptions (optional)", - "visible": "[equals(steps('landingZones').esLzConnectivity, 'Yes')]", + "visible": "[equals(steps('connectivity').enableAzFw, 'Yes')]", + "toolTip": "Select Azure Firewall tier", "constraints": { - "width": "Full", - "rows": { - "count": { - "min": 1, - "max": 10 - } - }, - "columns": [ + "allowedValues": [ { - "id": "subs", - "header": "Subscription", - "width": "1fr", - "element": { - "name": "esLzConnectedSub", - "type": "Microsoft.Common.DropDown", - "label": "Landing zone subscription", - "defaultValue": "[parse('[]')]", - "toolTip": "", - "multiselect": false, - "selectAll": false, - "filter": true, - "filterPlaceholder": "Filter items ...", - "multiLine": false, - "constraints": { - "allowedValues": "[steps('basics').getSubscriptions.data]", - "required": false - } - } + "label": "Basic", + "description": "Basic Azure Firewall", + "value": "Basic" }, { - "id": "addresses", - "header": "Virtual Network Address space", - "width": "1fr", - "element": { - "type": "Microsoft.Common.TextBox", - "placeholder": "Ensure there are no overlapping IP addresses!", - "constraints": { - "required": true, - "validations": [ - { - "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", - "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." - } - ] - } - } + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" } ] } }, { - "name": "onlineText", - "type": "Microsoft.Common.TextBlock", - "visible": true, + "name": "esFWAZNote", + "type": "Microsoft.Common.InfoBox", + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').enableAzFw,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation)), false)]", "options": { - "text": "Select the subscriptions you want to move to online management group.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" - } + "text": "ALZ enables Availability Zones for all services that it deploys by default for maximum resiliency in regions where Availability Zones are supported, including for Azure Firewall. Review the selected Availability Zones meet your architectural requirements and that you understand the added costs for inbound and outbound data transfers associated with Availability Zones, before proceeding. Click on this box to learn more about the Availability Zones and Azure Firewall.", + "uri": "https://learn.microsoft.com/en-us/azure/firewall/features#built-in-high-availability", + "style": "Info" } }, { - "name": "esOnlineLzSub", + "name": "firewallZones", "type": "Microsoft.Common.DropDown", - "label": "Online landing zone subscriptions (optional)", - "defaultValue": "[parse('[]')]", - "toolTip": "", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": [{"value": "1"}, {"value": "2"}, {"value": "3"}], "multiselect": true, "selectAll": true, "filter": true, - "filterPlaceholder": "Filter items ...", - "multiLine": true, - "visible": true, - "constraints": { - "allowedValues": "[steps('basics').getSubscriptions.data]", - "required": false - } - }, - { - "name": "azMonText", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "Select which of the the recommended policies you will assign to your landing zones.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" - } - } - }, - { - "name": "enableLzDdoS", - "type": "Microsoft.Common.OptionsGroup", - "label": "Enable DDoS Network Protection", - "defaultValue": "Yes (recommended)", - "visible": "[and(not(equals(steps('connectivity').enableHub,'No')),equals(steps('connectivity').enableDdoS,'Yes'))]", - "toolTip": "If 'Yes' is selected when also adding a connectivity subscription earlier, DDoS Network Protection will be enabled.", + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').enableAzFw,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').connectivityLocation)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "Zone 1", + "value": "1" }, { - "label": "Audit only", - "value": "Audit" + "label": "Zone 2", + "value": "2" }, { - "label": "No", - "value": "No" + "label": "Zone 3", + "value": "3" } ] } }, { - "name": "denyPublicEndpoints", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent usage of Public Endpoints for Azure PaaS services in the corp connected landing zones", - "defaultValue": "Yes (recommended)", - "visible": true, - "toolTip": "If 'Yes' is selected then Azure Policy will prevent PaaS resources to use public endpoints.", + "name": "subnetMaskForAzFw", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/24)", + "defaultValue": "10.100.0.0/24", + "visible": "[and(equals(steps('connectivity').enableAzFw, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')))]", "constraints": { - "allowedValues": [ + "required": true, + "validations": [ { - "label": "Yes (recommended)", - "value": "Yes" + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." }, { - "label": "Audit only", - "value": "Audit" + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." }, { - "label": "No", - "value": "No" + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), last(split(steps('connectivity').subnetMaskForAzFw, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." } ] } }, { - "name": "enablePrivateDnsZonesForLzs", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the corp connected landing zones", - "defaultValue": "Yes (recommended)", - "visible": "[equals(steps('connectivity').enablePrivateDnsZones, 'Yes')]", - "toolTip": "If 'Yes' is selected then Azure Policy will ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the connectivity subscription on behalf of the users.", + "name": "subnetMaskForAzFwMgmt", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall Mgmt (Optional Only for Basic SKU)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/26)", + "defaultValue": "10.100.2.0/24", + "visible": "[and(equals(steps('connectivity').enableAzFw, 'Yes'), equals(steps('connectivity').firewallSku, 'Basic'), not(equals(steps('connectivity').enableHub, 'vwan')))]", "constraints": { - "allowedValues": [ + "required": true, + "validations": [ { - "label": "Yes (recommended)", - "value": "Yes" + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." }, { - "label": "Audit only", - "value": "Audit" + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." }, { - "label": "No", - "value": "No" + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esAddressHubHS, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').subnetMaskForAzFw, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esAddressHubHS, '/')), last(split(steps('connectivity').subnetMaskForAzFwMgmt, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." } ] } }, { - "name": "enableEncryptionInTransit", + "name": "enableAzFwDnsProxy", "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure encryption in transit is enabled for PaaS services", - "defaultValue": "Yes (recommended)", - "visible": true, - "toolTip": "If 'Yes' is selected then Azure Policy will ensure PaaS resources uses TLS and SSL.", + "label": "Enable Azure Firewall as a DNS proxy", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').enableAzFw, 'Yes'), not(equals(steps('connectivity').firewallSku, 'Basic')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", + "label": "Yes", "value": "Yes" }, - { - "label": "Audit only", - "value": "Audit" - }, { "label": "No", "value": "No" @@ -2251,412 +2482,6522 @@ } }, { - "name": "enableVmMonitoring", + "name": "enablevWANRoutingIntent", "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Azure VMs (Windows & Linux) and Azure Arc-enabled servers are being monitored", - "defaultValue": "Yes (recommended)", - "toolTip": "Enabling this Azure Policy will ensure that every virtual machine (Windows, Linux, including Azure Arc enabled servers) are onboarded to Azure Monitor and Security", + "label": "Enable vWAN Routing Intent", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'))]", + "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", + "label": "Yes", "value": "Yes" }, - { - "label": "Audit only", - "value": "Audit" - }, { "label": "No", "value": "No" } ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + } }, { - "name": "enableVmssMonitoring", + "name": "vWANRoutingIntentforInternetTraffic", "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Azure VMSS (Windows & Linux) are being monitored", - "defaultValue": "Yes (recommended)", - "toolTip": "Enabling this Azure Policy will ensure that every virtual machine scale set (Windows & Linux) are onboarded to Azure Monitor and Security", + "label": "Select Yes if you want to enable routing intent policy to apply on Internet Traffic", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'),equals(steps('connectivity').enablevWANRoutingIntent, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Internet Traffic", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", + "label": "Yes", "value": "Yes" }, - { - "label": "Audit only", - "value": "Audit" - }, { "label": "No", "value": "No" } ] - }, - "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + } }, { - "name": "enableAksPolicy", + "name": "vWANRoutingIntentforPrivateTraffic", "type": "Microsoft.Common.OptionsGroup", - "label": "Enable Kubernetes (AKS) for Azure Policy", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "label": "Select Yes if you want to enable routing intent policy to apply on Private Traffic", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'),equals(steps('connectivity').enablevWANRoutingIntent, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Private Traffic", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", + "label": "Yes", "value": "Yes" }, - { - "label": "Audit only", - "value": "Audit" - }, { "label": "No", "value": "No" } ] - }, - "visible": true + } }, { - "name": "denyAksPrivileged", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent privileged containers in Kubernetes clusters", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged containers in AKS", + "name": "vWANHubRoutingPreference", + "type": "Microsoft.Common.DropDown", + "label": "Hub Routing Preference", + "defaultValue": "ExpressRoute (default)", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "toolTip": "Preference used in selecting best path when the virtual hub learns multiple paths to the same destination route-prefix.Virtual hub routing preference.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "ExpressRoute (default)", + "description": "ExpressRoute is the preferred path. (default)", + "value": "ExpressRoute" }, { - "label": "Audit only", - "value": "Audit" + "label": "VPN", + "description": "VPN is the preferred path", + "value": "VpnGateway" }, { - "label": "No", - "value": "No" + "label": "AS Path", + "description": "AS Path is the preferred path", + "value": "ASPath" } ] - }, - "visible": true + } }, { - "name": "denyAksPrivilegedEscalation", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent privileged escalation in Kubernetes clusters", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged escalations in AKS", + "name": "vWANHubCapacity", + "type": "Microsoft.Common.DropDown", + "label": "Virtual Hub Capacity", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "toolTip": "Routing infrastructure units determine the minimum throughput of the Virtual WAN hub router and the number of Virtual Machines that can be deployed in Virtual Networks connected to the Virtual WAN hub. Two routing infrastructure units are included at no extra cost with a deployment of a hub.Virtual Hub Capacity.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", - "value": "Yes" + "label": "2", + "description": "2 Routing Infrastructure Units, 3 Gbps Aggregate Throughput, Supports 2000 VMs", + "value": "2" }, { - "label": "Audit only", - "value": "Audit" + "label": "3", + "description": "3 Routing Infrastructure Units, 3 Gbps Aggregate Throughput, Supports 3000 VMs", + "value": "3" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "denyHttpIngressForAks", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure HTTPS ingress is enforced in Kubernetes clusters", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, HTTPS ingress will be required in AKS", - "constraints": { - "allowedValues": [ + "label": "4", + "description": "4 Routing Infrastructure Units, 4 Gbps Aggregate Throughput, Supports 4000 VMs", + "value": "4" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "5", + "description": "5 Routing Infrastructure Units, 5 Gbps Aggregate Throughput, Supports 5000 VMs", + "value": "5" }, { - "label": "Audit only", - "value": "Audit" + "label": "6", + "description": "6 Routing Infrastructure Units, 6 Gbps Aggregate Throughput, Supports 6000 VMs", + "value": "6" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "denyDatabricksPip", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent public IP for Databricks workloads in the corp connected landing zones", - "defaultValue": "Yes (recommended)", - "visible": true, - "toolTip": "If 'Yes' is selected Azure Policy will prevent usage of public IP for Databricks workload.", - "constraints": { - "allowedValues": [ + "label": "7", + "description": "7 Routing Infrastructure Units, 7 Gbps Aggregate Throughput, Supports 7000 VMs", + "value": "7" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "8", + "description": "8 Routing Infrastructure Units, 8 Gbps Aggregate Throughput, Supports 8000 VMs", + "value": "8" }, { - "label": "Audit only", - "value": "Audit" + "label": "9", + "description": "9 Routing Infrastructure Units, 9 Gbps Aggregate Throughput, Supports 9000 VMs", + "value": "9" }, { - "label": "No", - "value": "No" - } - ] - } - }, - { - "name": "denyDatabricksVnet", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure VNet injection is enabled for Databricks workspaces in corp connected landing zones", - "defaultValue": "Yes (recommended)", - "visible": true, - "toolTip": "If 'Yes' is selected Azure Policy will ensure vnet injection is enabled.", - "constraints": { - "allowedValues": [ + "label": "10", + "description": "10 Routing Infrastructure Units, 10 Gbps Aggregate Throughput, Supports 10000 VMs", + "value": "10" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "11", + "description": "11 Routing Infrastructure Units, 11 Gbps Aggregate Throughput, Supports 11000 VMs", + "value": "11" }, { - "label": "Audit only", - "value": "Audit" + "label": "12", + "description": "12 Routing Infrastructure Units, 12 Gbps Aggregate Throughput, Supports 12000 VMs", + "value": "12" }, { - "label": "No", - "value": "No" - } - ] - } - }, - { - "name": "denyDatabricksSku", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Databricks workloads are using the right SKU to ensure enterprise security and Azure RBAC", - "defaultValue": "Yes (recommended)", - "visible": true, - "toolTip": "If 'Yes' is selected Azure Policy will enforce the sku setting.", - "constraints": { - "allowedValues": [ + "label": "13", + "description": "13 Routing Infrastructure Units, 13 Gbps Aggregate Throughput, Supports 13000 VMs", + "value": "13" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "14", + "description": "14 Routing Infrastructure Units, 14 Gbps Aggregate Throughput, Supports 14000 VMs", + "value": "14" }, { - "label": "Audit only", - "value": "Audit" + "label": "15", + "description": "15 Routing Infrastructure Units, 15 Gbps Aggregate Throughput, Supports 15000 VMs", + "value": "15" }, { - "label": "No", - "value": "No" - } - ] - } - }, - { - "name": "enableVmBackup", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", - "constraints": { - "allowedValues": [ + "label": "16", + "description": "16 Routing Infrastructure Units, 16 Gbps Aggregate Throughput, Supports 16000 VMs", + "value": "16" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "17", + "description": "17 Routing Infrastructure Units, 17 Gbps Aggregate Throughput, Supports 17000 VMs", + "value": "17" }, { - "label": "Audit only", - "value": "Audit" + "label": "18", + "description": "18 Routing Infrastructure Units, 18 Gbps Aggregate Throughput, Supports 18000 VMs", + "value": "18" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "denyRdp", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent inbound RDP from internet", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", - "constraints": { - "allowedValues": [ + "label": "19", + "description": "19 Routing Infrastructure Units, 19 Gbps Aggregate Throughput, Supports 19000 VMs", + "value": "19" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "20", + "description": "20 Routing Infrastructure Units, 20 Gbps Aggregate Throughput, Supports 20000 VMs", + "value": "20" }, { - "label": "Audit only", - "value": "Audit" + "label": "21", + "description": "21 Routing Infrastructure Units, 21 Gbps Aggregate Throughput, Supports 21000 VMs", + "value": "21" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "denySubnetWithoutNsg", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure subnets are associated with NSG", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", - "constraints": { - "allowedValues": [ + "label": "22", + "description": "22 Routing Infrastructure Units, 22 Gbps Aggregate Throughput, Supports 22000 VMs", + "value": "22" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "23", + "description": "23 Routing Infrastructure Units, 23 Gbps Aggregate Throughput, Supports 23000 VMs", + "value": "23" }, { - "label": "Audit only", - "value": "Audit" + "label": "24", + "description": "24 Routing Infrastructure Units, 24 Gbps Aggregate Throughput, Supports 24000 VMs", + "value": "24" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "denyIpForwarding", - "type": "Microsoft.Common.OptionsGroup", - "label": "Prevent IP forwarding", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent IP forwarding", - "constraints": { - "allowedValues": [ + "label": "25", + "description": "25 Routing Infrastructure Units, 25 Gbps Aggregate Throughput, Supports 25000 VMs", + "value": "25" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "26", + "description": "26 Routing Infrastructure Units, 26 Gbps Aggregate Throughput, Supports 26000 VMs", + "value": "26" }, { - "label": "Audit only", - "value": "Audit" + "label": "27", + "description": "27 Routing Infrastructure Units, 27 Gbps Aggregate Throughput, Supports 27000 VMs", + "value": "27" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "enableSqlEncryption", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure Azure SQL is enabled with transparent data encryption", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", - "constraints": { - "allowedValues": [ + "label": "28", + "description": "28 Routing Infrastructure Units, 28 Gbps Aggregate Throughput, Supports 28000 VMs", + "value": "28" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "29", + "description": "29 Routing Infrastructure Units, 29 Gbps Aggregate Throughput, Supports 29000 VMs", + "value": "29" }, { - "label": "Audit only", - "value": "Audit" + "label": "30", + "description": "30 Routing Infrastructure Units, 30 Gbps Aggregate Throughput, Supports 30000 VMs", + "value": "30" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "enableSqlAudit", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure auditing is enabled on Azure SQL", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure auditing is enabled on Azure SQLs", - "constraints": { - "allowedValues": [ + "label": "31", + "description": "31 Routing Infrastructure Units, 31 Gbps Aggregate Throughput, Supports 31000 VMs", + "value": "31" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "32", + "description": "32 Routing Infrastructure Units, 32 Gbps Aggregate Throughput, Supports 32000 VMs", + "value": "32" }, { - "label": "Audit only", - "value": "Audit" + "label": "33", + "description": "33 Routing Infrastructure Units, 33 Gbps Aggregate Throughput, Supports 33000 VMs", + "value": "33" }, { - "label": "No", - "value": "No" - } - ] - }, - "visible": true - }, - { - "name": "enableStorageHttps", - "type": "Microsoft.Common.OptionsGroup", - "label": "Ensure secure connections (HTTPS) to storage accounts", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure storage can only be accessed using HTTPS", - "constraints": { - "allowedValues": [ + "label": "34", + "description": "34 Routing Infrastructure Units, 34 Gbps Aggregate Throughput, Supports 34000 VMs", + "value": "34" + }, { - "label": "Yes (recommended)", - "value": "Yes" + "label": "35", + "description": "35 Routing Infrastructure Units, 35 Gbps Aggregate Throughput, Supports 35000 VMs", + "value": "35" }, { - "label": "Audit only", - "value": "Audit" + "label": "36", + "description": "36 Routing Infrastructure Units, 36 Gbps Aggregate Throughput, Supports 36000 VMs", + "value": "36" }, { - "label": "No", - "value": "No" + "label": "37", + "description": "37 Routing Infrastructure Units, 37 Gbps Aggregate Throughput, Supports 37000 VMs", + "value": "37" + }, + { + "label": "38", + "description": "38 Routing Infrastructure Units, 38 Gbps Aggregate Throughput, Supports 38000 VMs", + "value": "38" + }, + { + "label": "39", + "description": "39 Routing Infrastructure Units, 39 Gbps Aggregate Throughput, Supports 39000 VMs", + "value": "39" + }, + { + "label": "40", + "description": "40 Routing Infrastructure Units, 40 Gbps Aggregate Throughput, Supports 40000 VMs", + "value": "40" + }, + { + "label": "41", + "description": "41 Routing Infrastructure Units, 41 Gbps Aggregate Throughput, Supports 41000 VMs", + "value": "41" + }, + { + "label": "42", + "description": "42 Routing Infrastructure Units, 42 Gbps Aggregate Throughput, Supports 42000 VMs", + "value": "42" + }, + { + "label": "43", + "description": "43 Routing Infrastructure Units, 43 Gbps Aggregate Throughput, Supports 43000 VMs", + "value": "43" + }, + { + "label": "44", + "description": "44 Routing Infrastructure Units, 44 Gbps Aggregate Throughput, Supports 44000 VMs", + "value": "44" + }, + { + "label": "45", + "description": "45 Routing Infrastructure Units, 45 Gbps Aggregate Throughput, Supports 45000 VMs", + "value": "45" + }, + { + "label": "46", + "description": "46 Routing Infrastructure Units, 46 Gbps Aggregate Throughput, Supports 46000 VMs", + "value": "46" + }, + { + "label": "47", + "description": "47 Routing Infrastructure Units, 47 Gbps Aggregate Throughput, Supports 47000 VMs", + "value": "47" + }, + { + "label": "48", + "description": "48 Routing Infrastructure Units, 48 Gbps Aggregate Throughput, Supports 48000 VMs", + "value": "48" + }, + { + "label": "49", + "description": "49 Routing Infrastructure Units, 49 Gbps Aggregate Throughput, Supports 49000 VMs", + "value": "49" + }, + { + "label": "50", + "description": "50 Routing Infrastructure Units, 50 Gbps Aggregate Throughput, Supports 50000 VMs", + "value": "50" } ] - }, - "visible": true - } - ] - } - ] - }, - "outputs": { - "parameters": { - "enterpriseScaleCompanyPrefix": "[steps('core').enterpriseScaleCompanyPrefix]", - "singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]", - "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]", - "enableLogAnalytics": "[steps('management').enableLogAnalytics]", - "retentionInDays": "[string(steps('management').retentionInDays)]", - "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]", - "enableAgentHealth": "[steps('management').enableAgentHealth]", - "enableChangeTracking": "[steps('management').enableChangeTracking]", - "enableUpdateMgmt": "[steps('management').enableUpdateMgmt]", - "enableVmInsights": "[steps('management').enableVmInsights]", - "enableServiceMap": "[steps('management').enableServiceMap]", - "enableSqlAssessment": "[steps('management').enableSqlAssessment]", - "enableSqlVulnerabilityAssessment": "[steps('management').enableSqlVulnerabilityAssessment]", - "enableSqlAdvancedThreatProtection": "[steps('management').enableSqlAdvancedThreatProtection]", + } + }, + { + "name": "esNetworkSecondarySubSection", + "type": "Microsoft.Common.Section", + "label": "Secondary Region Networking", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]", + "elements":[ + { + "name": "secondaryRegionNetworkInfo", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]", + "options": { + "text": "Your second region's networking resources will be deployed in the same subscription as the first region's. If you select the same region twice, the secondary resources will not be deployed and you may encounter errors.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "connectivityLocationSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Region to extend networking", + "filter": true, + "toolTip": "Select the target region for your second connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "defaultValue": "[parse('[]')]", + "constraints": { + "allowedValues": "[map(steps('basics').getLocations.value,(item) => parse(concat('{\"label\":\"',item.displayName,'\",\"value\":\"',item.name,'\"}')))]", + "required": true + }, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]" + }, + { + "name": "esAddressHubVWANSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Address space for your second virtual hub (required for vWAN hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/23)", + "defaultValue": "10.200.0.0/23", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esAddressHubHSSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Address space for your second hub virtual network(required for hub virtual network)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/16)", + "defaultValue": "10.200.0.0/16", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'vwan')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + }, + { + "name": "esNwZtnNote", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')))]", + "options": { + "text": "ALZ defaults are aligned to Zero Trust Networking principles. Click on this box to learn more about the Zero Trust Networking principles and how to apply them.", + "uri": "https://learn.microsoft.com/security/zero-trust/deploy/networks", + "style": "Info" + } + }, + { + "name": "enableVpnGwSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in your second region", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "gwRegionalOrAzSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional VPN Gateway in your second region", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "enableVpnActiveActiveSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway in Active/Active mode in your second region", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'))]", + "toolTip": "Deploy the VPN gateway in Active/Active mode", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwNoAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), not(contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "gwAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.gwRegionalOrAzSecondary, 'Zone') ,contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" + }, + { + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" + }, + { + "label": "VpnGw4AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" + } + ] + } + }, + { + "name": "gwRegionalSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.gwRegionalOrAzSecondary, 'Regional'))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "vpnGateWayScaleUnitSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway scale unit for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "Select the VPN Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 500 Mbps x2", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 1 Gbps x 2", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 1.5 Gbps x 2", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 2 Gbps x 2", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 2.5 Gbps x 2", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 3 Gbps x 2", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 3.5 Gbps x 2", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 4 Gbps x 2", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 4.5 Gbps x 2", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 5 Gbps x 2", + "value": "10" + }, + { + "label": "11 scale units", + "description": "Supports 5.5 Gbps x 2", + "value": "11" + }, + { + "label": "12 scale units", + "description": "Supports 6 Gbps x 2", + "value": "12" + }, + { + "label": "13 scale units", + "description": "Supports 6.5 Gbps x 2", + "value": "13" + }, + { + "label": "14 scale units", + "description": "Supports 7 Gbps x 2", + "value": "14" + }, + { + "label": "15 scale units", + "description": "Supports 7.5 Gbps x 2", + "value": "15" + }, + { + "label": "16 scale units", + "description": "Supports 8 Gbps x 2", + "value": "16" + }, + { + "label": "17 scale units", + "description": "Supports 8.5 Gbps x 2", + "value": "17" + }, + { + "label": "18 scale units", + "description": "Supports 9 Gbps x 2", + "value": "18" + }, + { + "label": "19 scale units", + "description": "Supports 9.5 Gbps x 2", + "value": "19" + }, + { + "label": "20 scale units", + "description": "Supports 10 Gbps x 2", + "value": "20" + } + ] + } + }, + { + "name": "subnetMaskForGwSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for VPN/ExpressRoute Gateways in your second region", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.1.0/24)", + "defaultValue": "10.200.1.0/24", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'vwan')), or(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'),equals(steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary, 'Yes')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-7]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,27]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), last(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "enableErGwSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway in your second region", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'No')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "erRegionalOrAzSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional ExpressRoute Gateway in your second region", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'),contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "erAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.erRegionalOrAzSecondary, 'Zone'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" + }, + { + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" + }, + { + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" + } + ] + } + }, + { + "name": "erRegionalSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))), equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.erRegionalOrAzSecondary, 'Regional'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esErNoAzSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan'))),equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "expressRouteScaleUnitSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway scale unit for your second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary, 'Yes'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "Select the ExpressRoute Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 2 Gbps", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 4 Gbps", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 6 Gbps", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 8 Gbps", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 10 Gbps", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 12 Gbps", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 14 Gbps", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 16 Gbps", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 18 Gbps", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 20 Gbps", + "value": "10" + } + ] + } + }, + { + "name": "enableAzFwSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall in your second region", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "firewallSkuSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall tier for your second region", + "defaultValue": "Premium", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes')]", + "toolTip": "Select Azure Firewall tier", + "constraints": { + "allowedValues": [ + { + "label": "Basic", + "description": "Basic Azure Firewall", + "value": "Basic" + }, + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, + { + "name": "esFWAZNoteSecondary", + "type": "Microsoft.Common.InfoBox", + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)), false)]", + "options": { + "text": "ALZ enables Availability Zones for all services that it deploys by default for maximum resiliency in regions where Availability Zones are supported, including for Azure Firewall. Review the selected Availability Zones meet your architectural requirements and that you understand the added costs for inbound and outbound data transfers associated with Avaialability Zones, before proceeding. Click on this box to learn more about the Availability Zones and Azure Firewall.", + "uri": "https://learn.microsoft.com/en-us/azure/firewall/features#built-in-high-availability", + "style": "Info" + } + }, + { + "name": "firewallZonesSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall in your second region", + "defaultValue": [{"value": "1"}, {"value": "2"}, {"value": "3"}], + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'vwan')), and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary,'Yes'), contains(split('brazilsouth,canadacentral,centralus,eastus,eastus2,southcentralus,westus2,westus3,francecentral,germanywestcentral,northeurope,norwayeast,uksouth,westeurope,swedencentral,switzerlandnorth,qatarcentral,uaenorth,southafricanorth,australiaeast,centralindia,japaneast,koreacentral,southeastasia,eastasia,italynorth', ','), steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary)), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "subnetMaskForAzFwSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall in your second region", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/24)", + "defaultValue": "10.200.0.0/24", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), last(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "subnetMaskForAzFwMgmtSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall Mgmt (Optional Only for Basic SKU) in your second region", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.200.0.0/26)", + "defaultValue": "10.200.2.0/24", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), equals(steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary, 'Basic'), not(equals(steps('connectivity').enableHub, 'vwan')))]", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[0-6]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [20,26]." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 8), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 1)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 1))), true)]", + "message": "CIDR range not within virtual network CIDR range (first octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 16), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 2)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 2))), true)]", + "message": "CIDR range not within virtual network CIDR range (second octet)." + }, + { + "isValid": "[if(greaterOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), 24), equals(last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), '.'), 3)), last(take(split(first(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')), '.'), 3))), true)]", + "message": "CIDR range not within virtual network CIDR range (third octet)." + }, + { + "isValid": "[lessOrEquals(last(split(steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '/')), last(split(steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary, '/')))]", + "message": "CIDR range not within virtual network CIDR range (subnet mask)." + } + ] + } + }, + { + "name": "enableAzFwDnsProxySecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Firewall as a DNS proxy in your second region", + "defaultValue": "No", + "visible": "[and(equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'), not(equals(steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary, 'Basic')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "enablevWANRoutingIntentSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable vWAN Routing Intent in your second", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'))]", + "toolTip": "Enable vWan Routing Intent and set Azure Firewall as the next hop either for Internet Traffic, Private Traffic or both", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANRoutingIntentforInternetTrafficSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select Yes if you want to enable routing intent policy to apply on Internet Traffic for your second region", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').enableAzFw, 'Yes'),equals(steps('connectivity').esNetworkSecondarySubSection.enablevWANRoutingIntentSecondary, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Internet Traffic", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANRoutingIntentforPrivateTrafficSecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select Yes if you want to enable routing intent policy to apply on Private Traffic", + "defaultValue": "No", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), equals(steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary, 'Yes'),equals(steps('connectivity').esNetworkSecondarySubSection.enablevWANRoutingIntentSecondary, 'Yes'))]", + "toolTip": "Enable vWAN Routing Intent for Private Traffic for your second region", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "vWANHubRoutingPreferenceSecondary", + "type": "Microsoft.Common.DropDown", + "label": "Hub Routing Preference for secondary region", + "defaultValue": "ExpressRoute (default)", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "toolTip": "Preference used in selecting best path when the virtual hub learns multiple paths to the same destination route-prefix.Virtual hub routing preference.", + "constraints": { + "allowedValues": [ + { + "label": "ExpressRoute (default)", + "description": "ExpressRoute is the preferred path. (default)", + "value": "ExpressRoute" + }, + { + "label": "VPN", + "description": "VPN is the preferred path", + "value": "VpnGateway" + }, + { + "label": "AS Path", + "description": "AS Path is the preferred path", + "value": "ASPath" + } + ] + } + }, + { + "name": "vWANHubCapacitySecondary", + "type": "Microsoft.Common.DropDown", + "label": "Virtual Hub Capacity in second region", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')), not(equals(steps('connectivity').enableHub, 'No')), not(equals(steps('connectivity').enableHub, 'nva')), not(equals(steps('connectivity').enableHub, 'vhub')))]", + "toolTip": "Routing infrastructure units determine the minimum throughput of the Virtual WAN hub router and the number of Virtual Machines that can be deployed in Virtual Networks connected to the Virtual WAN hub. Two routing infrastructure units are included at no extra cost with a deployment of a hub.Virtual Hub Capacity.", + "constraints": { + "allowedValues": [ + { + "label": "2", + "description": "2 Routing Infrastructure Units, 3 Gbps Aggregate Throughput, Supports 2000 VMs", + "value": "2" + }, + { + "label": "3", + "description": "3 Routing Infrastructure Units, 3 Gbps Aggregate Throughput, Supports 3000 VMs", + "value": "3" + }, + { + "label": "4", + "description": "4 Routing Infrastructure Units, 4 Gbps Aggregate Throughput, Supports 4000 VMs", + "value": "4" + }, + { + "label": "5", + "description": "5 Routing Infrastructure Units, 5 Gbps Aggregate Throughput, Supports 5000 VMs", + "value": "5" + }, + { + "label": "6", + "description": "6 Routing Infrastructure Units, 6 Gbps Aggregate Throughput, Supports 6000 VMs", + "value": "6" + }, + { + "label": "7", + "description": "7 Routing Infrastructure Units, 7 Gbps Aggregate Throughput, Supports 7000 VMs", + "value": "7" + }, + { + "label": "8", + "description": "8 Routing Infrastructure Units, 8 Gbps Aggregate Throughput, Supports 8000 VMs", + "value": "8" + }, + { + "label": "9", + "description": "9 Routing Infrastructure Units, 9 Gbps Aggregate Throughput, Supports 9000 VMs", + "value": "9" + }, + { + "label": "10", + "description": "10 Routing Infrastructure Units, 10 Gbps Aggregate Throughput, Supports 10000 VMs", + "value": "10" + }, + { + "label": "11", + "description": "11 Routing Infrastructure Units, 11 Gbps Aggregate Throughput, Supports 11000 VMs", + "value": "11" + }, + { + "label": "12", + "description": "12 Routing Infrastructure Units, 12 Gbps Aggregate Throughput, Supports 12000 VMs", + "value": "12" + }, + { + "label": "13", + "description": "13 Routing Infrastructure Units, 13 Gbps Aggregate Throughput, Supports 13000 VMs", + "value": "13" + }, + { + "label": "14", + "description": "14 Routing Infrastructure Units, 14 Gbps Aggregate Throughput, Supports 14000 VMs", + "value": "14" + }, + { + "label": "15", + "description": "15 Routing Infrastructure Units, 15 Gbps Aggregate Throughput, Supports 15000 VMs", + "value": "15" + }, + { + "label": "16", + "description": "16 Routing Infrastructure Units, 16 Gbps Aggregate Throughput, Supports 16000 VMs", + "value": "16" + }, + { + "label": "17", + "description": "17 Routing Infrastructure Units, 17 Gbps Aggregate Throughput, Supports 17000 VMs", + "value": "17" + }, + { + "label": "18", + "description": "18 Routing Infrastructure Units, 18 Gbps Aggregate Throughput, Supports 18000 VMs", + "value": "18" + }, + { + "label": "19", + "description": "19 Routing Infrastructure Units, 19 Gbps Aggregate Throughput, Supports 19000 VMs", + "value": "19" + }, + { + "label": "20", + "description": "20 Routing Infrastructure Units, 20 Gbps Aggregate Throughput, Supports 20000 VMs", + "value": "20" + }, + { + "label": "21", + "description": "21 Routing Infrastructure Units, 21 Gbps Aggregate Throughput, Supports 21000 VMs", + "value": "21" + }, + { + "label": "22", + "description": "22 Routing Infrastructure Units, 22 Gbps Aggregate Throughput, Supports 22000 VMs", + "value": "22" + }, + { + "label": "23", + "description": "23 Routing Infrastructure Units, 23 Gbps Aggregate Throughput, Supports 23000 VMs", + "value": "23" + }, + { + "label": "24", + "description": "24 Routing Infrastructure Units, 24 Gbps Aggregate Throughput, Supports 24000 VMs", + "value": "24" + }, + { + "label": "25", + "description": "25 Routing Infrastructure Units, 25 Gbps Aggregate Throughput, Supports 25000 VMs", + "value": "25" + }, + { + "label": "26", + "description": "26 Routing Infrastructure Units, 26 Gbps Aggregate Throughput, Supports 26000 VMs", + "value": "26" + }, + { + "label": "27", + "description": "27 Routing Infrastructure Units, 27 Gbps Aggregate Throughput, Supports 27000 VMs", + "value": "27" + }, + { + "label": "28", + "description": "28 Routing Infrastructure Units, 28 Gbps Aggregate Throughput, Supports 28000 VMs", + "value": "28" + }, + { + "label": "29", + "description": "29 Routing Infrastructure Units, 29 Gbps Aggregate Throughput, Supports 29000 VMs", + "value": "29" + }, + { + "label": "30", + "description": "30 Routing Infrastructure Units, 30 Gbps Aggregate Throughput, Supports 30000 VMs", + "value": "30" + }, + { + "label": "31", + "description": "31 Routing Infrastructure Units, 31 Gbps Aggregate Throughput, Supports 31000 VMs", + "value": "31" + }, + { + "label": "32", + "description": "32 Routing Infrastructure Units, 32 Gbps Aggregate Throughput, Supports 32000 VMs", + "value": "32" + }, + { + "label": "33", + "description": "33 Routing Infrastructure Units, 33 Gbps Aggregate Throughput, Supports 33000 VMs", + "value": "33" + }, + { + "label": "34", + "description": "34 Routing Infrastructure Units, 34 Gbps Aggregate Throughput, Supports 34000 VMs", + "value": "34" + }, + { + "label": "35", + "description": "35 Routing Infrastructure Units, 35 Gbps Aggregate Throughput, Supports 35000 VMs", + "value": "35" + }, + { + "label": "36", + "description": "36 Routing Infrastructure Units, 36 Gbps Aggregate Throughput, Supports 36000 VMs", + "value": "36" + }, + { + "label": "37", + "description": "37 Routing Infrastructure Units, 37 Gbps Aggregate Throughput, Supports 37000 VMs", + "value": "37" + }, + { + "label": "38", + "description": "38 Routing Infrastructure Units, 38 Gbps Aggregate Throughput, Supports 38000 VMs", + "value": "38" + }, + { + "label": "39", + "description": "39 Routing Infrastructure Units, 39 Gbps Aggregate Throughput, Supports 39000 VMs", + "value": "39" + }, + { + "label": "40", + "description": "40 Routing Infrastructure Units, 40 Gbps Aggregate Throughput, Supports 40000 VMs", + "value": "40" + }, + { + "label": "41", + "description": "41 Routing Infrastructure Units, 41 Gbps Aggregate Throughput, Supports 41000 VMs", + "value": "41" + }, + { + "label": "42", + "description": "42 Routing Infrastructure Units, 42 Gbps Aggregate Throughput, Supports 42000 VMs", + "value": "42" + }, + { + "label": "43", + "description": "43 Routing Infrastructure Units, 43 Gbps Aggregate Throughput, Supports 43000 VMs", + "value": "43" + }, + { + "label": "44", + "description": "44 Routing Infrastructure Units, 44 Gbps Aggregate Throughput, Supports 44000 VMs", + "value": "44" + }, + { + "label": "45", + "description": "45 Routing Infrastructure Units, 45 Gbps Aggregate Throughput, Supports 45000 VMs", + "value": "45" + }, + { + "label": "46", + "description": "46 Routing Infrastructure Units, 46 Gbps Aggregate Throughput, Supports 46000 VMs", + "value": "46" + }, + { + "label": "47", + "description": "47 Routing Infrastructure Units, 47 Gbps Aggregate Throughput, Supports 47000 VMs", + "value": "47" + }, + { + "label": "48", + "description": "48 Routing Infrastructure Units, 48 Gbps Aggregate Throughput, Supports 48000 VMs", + "value": "48" + }, + { + "label": "49", + "description": "49 Routing Infrastructure Units, 49 Gbps Aggregate Throughput, Supports 49000 VMs", + "value": "49" + }, + { + "label": "50", + "description": "50 Routing Infrastructure Units, 50 Gbps Aggregate Throughput, Supports 50000 VMs", + "value": "50" + } + ] + } + } + ] + } + ] + }, + { + "name": "identity", + "label": "Identity", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "ALZ - Identity Settings", + "elements": [ + { + "name": "multiPlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('core').platformSubscription, 'Single'))]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "singlePlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('core').platformSubscription, 'Single')]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "esIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign recommended policies to govern identity and domain controllers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "name": "esIdentitySubUniqueWarning", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Ensure you select a subscription that is dedicated/unique for Identity. Selecting the same Subscription here for Management or Connectivity will result in a deployment failure. If you want to use a single Subscription for all platform resources, select 'Single' on the 'Azure Core Setup' blade.", + "uri": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions#organization-and-governance-design-considerations", + "style": "Warning" + } + }, + { + "name": "esIdentitySub", + "type": "Microsoft.Common.DropDown", + "label": "Identity subscription", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter subscriptions...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[steps('basics').getSubscriptions.data]", + "required": true + } + } + ], + "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" + }, + { + "name": "identitypolicies", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('identity').esIdentity,'Yes')]", + "options": { + "text": "Select which of the the recommended policies you will assign to your identity management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "denyMgmtPortsForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound management ports from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound management ports (22, 3389) from internet.
Uses the custom policy Management port access from the Internet should be blocked.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('identity').esIdentity,'Yes')]" + }, + { + "name": "denySubnetWithoutNsgForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created.
Uses the custom policy Subnets should have a Network Security Group.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('identity').esIdentity,'Yes')]" + }, + { + "name": "denyPipForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of public IP", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created.
Uses the policy Not allowed resource types with parameters including Public IP Address resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" + }, + { + "name": "enableVmBackupForIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.
Uses the policy Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('identity').esIdentity,'Yes')]" + }, + { + "name": "esIdentityConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single'))), equals(steps('identity').esIdentity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + }, + { + "name": "identityAddressPrefix", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.110.0.0/24", + "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-9]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + }, + { + "name": "esIdentitySecondarySubSection", + "type": "Microsoft.Common.Section", + "label": "Secondary Region Identity", + "visible": "[and(not(equals(steps('connectivity').enableHub, 'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]", + "elements":[ + { + "name": "esIdentityConnectivitySecondary", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub in your secondary region (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + }, + { + "name": "identityAddressPrefixSecondary", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.210.0.0/24", + "toolTip": "The secondary virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-9]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,29]." + } + ] + }, + "visible": "[and(equals(steps('identity').esIdentitySecondarySubSection.esIdentityConnectivitySecondary, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + } + ] + } + ] + }, + { + "name": "landingZones", + "label": "Landing zones configuration", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "ALZ - Landing Zones Settings", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "You can optionally provide subscriptions for your first landing zones for both 'online' and 'corp' and assign recommended policies for 'landing zone', 'online' and 'corp' management groups that will ensure workloads will be secure, monitored, and protected according to best practices.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", + "style": "Info" + } + }, + { + "name": "lzSection", + "type": "Microsoft.Common.Section", + "label": "Landing Zone Management Group", + "elements": [ + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the the recommended policies you will assign to your landing zone management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "enableLzDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Network Protection", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('connectivity').enableHub,'No')),equals(steps('connectivity').enableDdoS,'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription earlier, DDoS Network Protection will be enabled.
Uses the policy Virtual networks should be protected by Azure DDoS Protection Standard.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "enablePrivateDnsZonesForLzs", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the corp connected landing zones", + "defaultValue": "Yes (recommended)", + "visible": "[equals(steps('connectivity').enablePrivateDnsZones, 'Yes')]", + "toolTip": "If 'Yes' is selected then Azure Policy will ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the connectivity subscription on behalf of the users.
Uses the custom initiative Configure Azure PaaS services to use private DNS zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "enableEncryptionInTransit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure encryption in transit is enabled for PaaS services", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will ensure PaaS resources uses TLS and SSL.
Uses the custom initiative Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "enableVmMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) and Azure Arc-enabled servers are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that every virtual machine (Windows, Linux, including Azure Arc enabled servers) are onboarded to Azure Monitor and Security.
Uses the initiative Enable Azure Monitor for VMs.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + }, + { + "name": "enableVmssMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMSS (Windows & Linux) are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that every virtual machine scale set (Windows & Linux) are onboarded to Azure Monitor and Security.
Uses the initiative Enable Azure Monitor for Virtual Machine Scale Sets.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + }, + { + "name": "enableVmHybridMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Hybrid VMs are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that Azure Arc Enabled Hybrid VMs are monitored.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]" + }, + { + "name": "enableAksPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Kubernetes (AKS) for Azure Policy", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected the Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters will be enabled.
Uses the policy Deploy Azure Policy Add-on to Azure Kubernetes Service clusters.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "denyAksPrivileged", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent privileged containers in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged containers in AKS.
Uses the policy Kubernetes cluster should not allow privileged containers.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "denyAksPrivilegedEscalation", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent privileged escalation in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged escalations in AKS.
Uses the policy Kubernetes clusters should not allow container privilege escalation.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "denyHttpIngressForAks", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure HTTPS ingress is enforced in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, HTTPS ingress will be required in AKS.
Uses the policy Kubernetes clusters should be accessible only over HTTPS.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enableVmBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.
Uses the policy Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "denyMgmtPorts", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound management ports from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound management ports (22, 3389) from internet.
Uses the custom policy Management port access from the Internet should be blocked.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "denySubnetWithoutNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created.
Uses the custom policy Subnets should have a Network Security Group.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "denyIpForwarding", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent IP forwarding", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent IP forwarding.
Uses the policy Network interfaces should disable IP forwarding.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enableSqlEncryption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure SQL is enabled with transparent data encryption", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected TDE will be enabled on all SQL instances.
Uses the policy Deploy SQL DB transparent data encryption.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enableSqlThreat", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure SQL Threat Detection is enabled", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected Azure Defender will be enabled on all SQL instances.
Uses the policy Configure Azure Defender to be enabled on SQL servers.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enableSqlAudit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure auditing is enabled on Azure SQL", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure auditing is enabled on Azure SQL.
Uses the policy Configure SQL servers to have auditing enabled to Log Analytics workspace.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enableStorageHttps", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure secure connections (HTTPS) to storage accounts", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure storage can only be accessed using HTTPS.
Uses the policy Secure transfer to storage accounts should be enabled.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enforceKvGuardrails", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enforce Key Vault recommended guardrails", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy Initiative will be assigned to ensure recommended Key Vault policies are enabled.
Uses the custom initiative Enforce recommended guardrails for Azure Key Vault..", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enforceBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enforce Backup and Recovery recommended guardrails", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy Initiative will be assigned to ensure recommended Azure Recovery Services policies are enabled.
Uses the custom initiative Enforce enhanced recovery and backup policies.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "auditAppGwWaf", + "type": "Microsoft.Common.OptionsGroup", + "label": "Audit WAF enabled on Application Gateways", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to audit whether WAF is enabled on Application Gateways.
Uses the policy Web Application Firewall (WAF) should be enabled for Application Gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "enforceAcsb", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Compute Security Baseline compliance auditing", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to audit whether Windows and Linux virtual machines are Azure Compute Security Baseline compliant.
Uses the custom initiative Enforce Azure Compute Security Benchmark compliance auditing.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ], + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]" + }, + { + "name": "corpOnlineSettingsInfo", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "You can optionally provide subscriptions for your first landing zones for both 'online' and 'corp' and choose to enable the assignment of recommended policies for the corp and online landing zones that will enable policies according to best practices.", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "corpSection", + "type": "Microsoft.Common.Section", + "label": "Corp Management Group", + "elements": [ + { + "name": "corpText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to corp management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "esLzConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Connect corp landing zones to the connectivity hub (optional)?", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[or(equals(steps('connectivity').enableHub, 'nva'), equals(steps('connectivity').enableHub, 'vhub'))]" + }, + { + "name": "esCorpLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Corp landing zone subscriptions (optional)", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[or(or(equals(steps('landingZones').corpSection.esLzConnectivity, 'No'), equals(steps('connectivity').enableHub, 'No')), equals(steps('connectivity').enableHub, 'vwan'), equals(steps('landingZones').corpSection.esLzConnectivity, 'No'))]", + "constraints": { + "allowedValues": "[steps('basics').getSubscriptions.data]", + "required": false + } + }, + { + "name": "lzConnectedSubs", + "type": "Microsoft.Common.EditableGrid", + "ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering", + "label": "Corp connected landing zone subscriptions (optional)", + "visible": "[equals(steps('landingZones').corpSection.esLzConnectivity, 'Yes')]", + "constraints": { + "width": "Full", + "rows": { + "count": { + "min": 1, + "max": 10 + } + }, + "columns": [ + { + "id": "subs", + "header": "Subscription", + "width": "1fr", + "element": { + "name": "esLzConnectedSub", + "type": "Microsoft.Common.DropDown", + "label": "Landing zone subscription", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": false, + "constraints": { + "allowedValues": "[steps('basics').getSubscriptions.data]", + "required": false + } + } + }, + { + "id": "addresses", + "header": "Virtual Network Address space", + "width": "1fr", + "element": { + "type": "Microsoft.Common.TextBox", + "placeholder": "Ensure there are no overlapping IP addresses!", + "constraints": { + "required": true, + "validations": [ + { + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", + "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." + } + ] + } + } + } + ] + } + }, + { + "name": "denyPublicEndpoints", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of Public Endpoints for Azure PaaS services in the corp connected landing zones", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent PaaS resources to use public endpoints.
Uses the custom initiative Public network access should be disabled for PaaS services.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "denyPipOnNicForCorp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of NICs with public IP(s) in the corp connected landing zones", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent NICs with public IPs(s).
Uses the policy Network interfaces should not have public IPs.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "denyHybridNetworking", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deny the deployment of vWAN/VPN/ERs, including Gateways, to Subscriptions in the Corp Management Group", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for Corp, vWAN/VPN/ER, including Gateways, will be blocked from deployment to the Corp Management Group.
Uses the policy Not allowed resource types with parameters for Express Route and VPN gateways.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "auditPeDnsZones", + "type": "Microsoft.Common.OptionsGroup", + "label": "Audit the deployment of Private Link Private DNS Zones in the Corp Management Group", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected an audit policy will be enabled for checking if any Private Link Private DNS Zones are deployed in subscriptions in the Corp Management Group.
Uses the policy Audit the creation of Private Link Private DNS Zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ], + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]" + }, + { + "name": "onlineSection", + "type": "Microsoft.Common.Section", + "label": "Online Management Group", + "elements": [ + { + "name": "onlineText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to online management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "esOnlineLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Online landing zone subscriptions (optional)", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[steps('basics').getSubscriptions.data]", + "required": false + } + }, + { + "name": "onlineSettingsInfo1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "There are no additional policy assignments for the online management group at this time, however, the online management group inherits and enforces the policies from the hierarchy above it.", + "style": "Info" + } + } + ], + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]" + } + ] + }, + { + "name": "workloadspecific", + "label": "Workload Specific Compliance", + "elements": [ + { + "name": "wsText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "For customers in highly regulated industries like healthcare, financial services, public sector, etc. you can optionally select one, or more, Workload Specific Compliance Policy Initiatives (Set Definitions) to assign to the selected Management Groups of your Azure Landing Zones hierarchy (e.g. Contoso).", + "link": { + "label": "Learn More", + "uri": "" + } + } + }, + { + "name": "wsInfoCheck", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Please carefully review each of the initiatives and the controls they enforce to ensure they align with your organization's compliance requirements. You can hover over the workload name to show the tooltip, which includes a link to the initiative definition.", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "wsText2", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please select workload and scope to apply initiatives to for each:", + "link": { + "label": "", + "uri": "" + } + } + }, + { + "name": "enableWsCMKInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Customer Managed Keys", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected management groups to apply Customer Managed Keys initiative to. This applies to all services that support CMK if enabled. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsCMKSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scope to assign Customer Managed Keys initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsCMKInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermediate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsAPIMInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "API Management", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for API Management. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsAPIMSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scope to assign API Management initiatives to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsAPIMInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsAppServicesInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "App Services", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsAppServicesSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign App Services initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsAppServicesInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsAutomationInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automation Accounts", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsAutomationSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Automation Accounts initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsAutomationInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsCognitiveServicesInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Cognitive Services", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsCognitiveServicesSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Cognitive Services initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsCognitiveServicesInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsComputeInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Compute", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsComputeSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Compute initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsComputeInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsContainerAppsInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Container Apps", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsContainerAppsSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Container Apps initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsContainerAppsInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsContainerInstanceInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Container Instance", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsContainerInstanceSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Container Instance initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsContainerInstanceInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsContainerRegistryInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Container Registry", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsContainerRegistrySelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign Container Registry initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsContainerRegistryInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsCosmosDbInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Cosmos DB", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsCosmosDbSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Cosmos DB initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsCosmosDbInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsDataExplorerInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Data Explorer", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsDataExplorerSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Data Explorer initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsDataExplorerInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsDataFactoryInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Data Factory", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsDataFactorySelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Data Factory initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsDataFactoryInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsEventGridInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Event Grid", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsEventGridSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Event Grid initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsEventGridInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsEventHubInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Event Hub", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsEventHubSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Event Hub initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsEventHubInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsKeyVaultSupInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Key Vault - Supplementary", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsKeyVaultSupSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Key Vault - Supplementary initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsKeyVaultSupInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsKubernetesInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Kubernetes", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsKubernetesSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Kubernetes initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsKubernetesInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsMachineLearningInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Machine Learning", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsMachineLearningSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Machine Learning initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsMachineLearningInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsMySQLInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "MySQL", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsMySQLSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the MySQL initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsMySQLInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsNetworkInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network and Networking services", + "defaultValue": "No", + "visible": "[equals(steps('connectivity').enableDdoS, 'Yes')]", + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsNetworkSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Network and Networking services initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsNetworkInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsOpenAIInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Open AI", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsOpenAISelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Open AI initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsOpenAIInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsPostgreSQLInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "PostgreSQL", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsPostgreSQLSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the PostgreSQL initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsPostgreSQLInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsServiceBusInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Service Bus", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsServiceBusSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Service Bus initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsServiceBusInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsSQLInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "SQL", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsSQLSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the SQL initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsSQLInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsStorageInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Storage", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsStorageSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Storage initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsStorageInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsSynapseInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Synapse", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsSynapseSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Synapse initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsSynapseInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + }, + { + "name": "enableWsVirtualDesktopInitiatives", + "type": "Microsoft.Common.OptionsGroup", + "label": "Virtual Desktop", + "defaultValue": "No", + "visible": true, + "toolTip": "If 'Yes' is selected you will have the option to selected additional policy initiatives for regulated industries. Check initiative here.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "wsVirtualDesktopSelectorMG", + "type": "Microsoft.Common.DropDown", + "label": "Select Management Group scopes to assign the Virtual Desktop initiative to:", + "toolTip": "", + "multiselect": true, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[equals(steps('workloadspecific').enableWsVirtualDesktopInitiatives, 'Yes')]", + "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": true + } + } + ] + }, + { + "name": "decommissionedSandboxZones", + "label": "Decommissioned/Sandbox", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "ALZ - Decommissioned and Sandbox Landing Zones Settings", + "elements": [ + { + "name": "infoBox2", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "You can optionally choose to enable the assignment of recommended policies for the Decommissioned and Sandbox landing zones that will enable policies according to best practices.", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "decommSection", + "type": "Microsoft.Common.Section", + "label": "Decommissioned Management Group", + "elements": [ + { + "name": "decommSettingsInfo", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]", + "options": { + "text": "The following policies will be enabled:
  • Deny the deployment of new resources
  • Deploy an auto VM shutdown policy at UTC 00:00
", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "enableDecommissioned", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enforce ALZ Recommended policy controls on the Decommissioned Management Group?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for Decommissioned, the Enforce-ALZ-Decomm initiative will be applied to the Decommissioned Management Group.
Uses the custom initiative Enforce policies in the Decommissioned Landing Zone.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ], + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]" + }, + { + "name": "sandboxSection", + "type": "Microsoft.Common.Section", + "label": "Sandbox Management Group", + "elements": [ + { + "name": "sandboxSettingsInfo", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]", + "options": { + "text": "The following policies will be enabled:
  • Deny vNET peering across subscriptions
  • Deny the deployment of vWAN/ER/VPN gateways
", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "enableSandbox", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enforce ALZ recommended policy controls on the Sandbox Management Group?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for sandbox, the Enforce-ALZ-Sandbox initiative will be applied to the Sandbox Management Group.
Uses the custom initiative Enforce policies in the Sandbox Landing Zone.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ], + "visible": "[equals(steps('basics').cloudEnvironment.selection, 'AzureCloud')]" + } + ] + }, + { + "name": "regulatory", + "label": "Regulatory Compliance", + "elements": [ + { + "name": "regComplianceText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "You can optionally select one, or more, Regulatory Compliance built-in Policy Initiatives (Set Definitions) to assign to the Intermediate Root Management Group of your Azure Landing Zones hierarchy (e.g. Contoso).", + "link": { + "label": "See available initiatives and control mappings...", + "uri": "https://learn.microsoft.com/azure/azure-resource-manager/management/security-controls-policy" + } + } + }, + { + "name": "regComplianceInfoMcsb", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "The Microsoft Cloud Security Benchmark (MCSB) is already assigned in to the Intermediate Root Management Group of your Azure Landing Zones hierarchy (e.g. Contoso). Click on this box to see the controls mapped for this initiative and also find in the TOC other Regulatory Compliance built-in Policy Initiatives (Set Definitions)", + "uri": "https://learn.microsoft.com/azure/governance/policy/samples/azure-security-benchmark", + "style": "Info" + } + }, + { + "name": "regComplianceInfoAlzPolicyAssignments", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Azure Landing Zones makes a number of default Azure Policy Assignments that help bootstrap your environment to be able to host workloads in Application Landing Zones (Azure Subscriptions). Click on this box to see the default ALZ Policy Assignments", + "uri": "https://aka.ms/alz/policies", + "style": "Info" + } + }, + { + "name": "regComplianceSelectorCheck", + "type": "Microsoft.Common.OptionsGroup", + "label": "Do you wish to assign additional Regulatory Compliance Policy Initiatives to your Azure Landing Zones Management Groups hierarchy?", + "defaultValue": "No", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "regComplianceAlzMgDiagram", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('regulatory').regComplianceSelectorCheck, 'Yes')]", + "options": { + "icon": "None", + "text": "Azure Landing Zones Management Group Hierarchy" + } + }, + { + "name": "regComplianceWarnLite", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('core').platformSubscription, 'Single'), equals(steps('regulatory').regComplianceSelectorCheck, 'Yes'))]", + "options": { + "text": "You have selected a single platform Management Group and Subscripiton instead of a dedicated Subscriptions and Management Groups for the platform services. Please do not select the management, identity or connectivity Management Groups in the drop downs below as this will cause the deployment to fail.", + "uri": "https://aka.ms/alz", + "style": "Warning" + } + }, + { + "name": "regComplianceWarnParams", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('regulatory').regComplianceSelectorCheck, 'Yes')]", + "options": { + "text": "Some Regulatory Compliance Policy Initiatives require specific parameter values to be set. Once you have selected the policies to assign and to which Management Group, please scroll down to provide any required parameter values. If you do not know the values for any of the required parameters requested below please leave them empty or enter a placeholder value and complete the ALZ deployment. You can then enter the Policy area in the Azure Portal once complete and edit the assignment parameter values at a later stage when you know the values. (click on this box to be taken to the Azure Policy Docs)", + "uri": "https://learn.microsoft.com/azure/governance/policy/assign-policy-portal", + "style": "Info" + } + }, + { + "name": "regComplianceSelectorFull", + "type": "Microsoft.Common.EditableGrid", + "ariaLabel": "Assign regulatory compliance policies to the Management Group of your choice in Azure Landing Zones hierarchy", + "label": "Assign regulatory compliance policies to the Management Group of your choice in Azure Landing Zones hierarchy", + "visible": "[equals(steps('regulatory').regComplianceSelectorCheck, 'Yes')]", + "constraints": { + "width": "Full", + "rows": { + "count": { + "min": 1, + "max": 20 + } + }, + "columns": [ + { + "id": "mg", + "header": "Management Group To Assign To", + "width": "1fr", + "element": { + "name": "regComplianceSelectorManagementGroups", + "type": "Microsoft.Common.DropDown", + "label": "Management Groups", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "constraints": { + "allowedValues": [ + { + "label": "Intermeditate Root Management Group", + "description": "e.g. Contoso", + "value": "contoso" + }, + { + "label": "Platform Management Group", + "description": "e.g. Contoso -> Platform", + "value": "contoso-platform" + }, + { + "label": "Management Management Group", + "description": "e.g. Contoso -> Platform -> Management", + "value": "contoso-management" + }, + { + "label": "Identity Management Group", + "description": "e.g. Contoso -> Platform -> Identity", + "value": "contoso-identity" + }, + { + "label": "Connectivity Management Group", + "description": "e.g. Contoso -> Platform -> Connectivity", + "value": "contoso-connectivity" + }, + { + "label": "Landing Zones Management Group", + "description": "e.g. Contoso -> Landing Zones", + "value": "contoso-landingzones" + }, + { + "label": "Corp Management Group", + "description": "e.g. Contoso -> Landing Zones -> Corp", + "value": "contoso-corp" + }, + { + "label": "Online Management Group", + "description": "e.g. Contoso -> Landing Zones -> Online", + "value": "contoso-online" + }, + { + "label": "Decommissioned Management Group", + "description": "e.g. Contoso -> Decommissioned", + "value": "contoso-decommissioned" + }, + { + "label": "Sandbox Management Group", + "description": "e.g. Contoso -> Sandbox", + "value": "contoso-sandboxes" + } + ], + "required": false + } + } + }, + { + "id": "policy", + "header": "Regulatory Compliance Policy Initative", + "width": "1fr", + "element": { + "name": "regComplianceSelectorPolicies", + "type": "Microsoft.Common.DropDown", + "label": "Regulatory Compliance Policies", + "defaultValue": "[parse('[]')]", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter Regulatory Compliance Policy Initiatives...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[steps('basics').getRegulatoryCompliancePolicies.data]", + "required": false + } + } + } + ] + } + }, + { + "name": "regPolicyParamAusGovIsmRestricted", + "type": "Microsoft.Common.Section", + "label": "Australian Government ISM PROTECTED - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamAusGovIsmRestrictedNeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of Australian Government ISM PROTECTED that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParAusGovIsmRestrictedVmAdminsExclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be excluded in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParAusGovIsmRestrictedResourceTypes", + "type": "Microsoft.Common.OptionsGroup", + "label": "List of resource types that should have diagnostic logging enabled", + "defaultValue": "All Resource Types", + "toolTip": "You can select either all or none here in this portal experience, if you wish to be more granular please chose either option and then once deployed via the ALZ portal accelerator you can edit the assignment via the Policy area of the Azure Portal.", + "constraints": { + "allowedValues": [ + { + "label": "All Resource Types", + "value": "all" + }, + { + "label": "None", + "value": "none" + } + ], + "required": true + }, + "visible": true + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077'), true, false)]" + }, + { + "name": "regPolicyParamMPAA", + "type": "Microsoft.Common.Section", + "label": "Motion Picture Association of America (MPAA) - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamMPAANeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of Motion Picture Association of America (MPAA) that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParMPAACertificateThumb", + "type": "Microsoft.Common.TextBox", + "label": "Certificate thumbprints that should exist under the Trusted Root", + "toolTip": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParMPAAApplicationName", + "type": "Microsoft.Common.TextBox", + "label": "Application names to be installed on VMs", + "toolTip": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell; Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')'", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParMPAAStoragePrefix", + "type": "Microsoft.Common.TextBox", + "label": "Storage Account Prefix for Regional Storage Account to deploy diagnostic settings for Network Security Groups", + "toolTip": "This prefix will be combined with the network security group location to form the created storage account name.", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParMPAAResGroupPrefix", + "type": "Microsoft.Common.TextBox", + "label": "Resource Group Name for Storage Account to deploy diagnostic settings for Network Security Groups", + "toolTip": "The resource group that the storage account will be created in.", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParMPAARBatchMetricName", + "type": "Microsoft.Common.TextBox", + "label": "Metric name on which alert rules should be configured in Batch accounts", + "toolTip": "The metric name that an alert rule must be enabled on", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8'), true, false)]" + }, + { + "name": "regPolicyParamSovBaseGlobal", + "type": "Microsoft.Common.Section", + "label": "Sovereignty Baseline - Global Policies - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamSovBaseGlobalNeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of Sovereignty Baseline - Global Policies that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParSovBaseGlobalRegions", + "type": "Microsoft.Common.DropDown", + "label": "The list of Azure Regions that are approved for usage", + "defaultValue": [ + { + "label": "eastus", + "value": "eastus" + }, + { + "label": "eastus2", + "value": "eastus2" + }, + { + "label": "southcentralus", + "value": "southcentralus" + }, + { + "label": "westus2", + "value": "westus2" + }, + { + "label": "westus3", + "value": "westus3" + }, + { + "label": "australiaeast", + "value": "australiaeast" + }, + { + "label": "southeastasia", + "value": "southeastasia" + }, + { + "label": "northeurope", + "value": "northeurope" + }, + { + "label": "swedencentral", + "value": "swedencentral" + }, + { + "label": "uksouth", + "value": "uksouth" + }, + { + "label": "westeurope", + "value": "westeurope" + }, + { + "label": "centralus", + "value": "centralus" + }, + { + "label": "southafricanorth", + "value": "southafricanorth" + }, + { + "label": "centralindia", + "value": "centralindia" + }, + { + "label": "eastasia", + "value": "eastasia" + }, + { + "label": "japaneast", + "value": "japaneast" + }, + { + "label": "koreacentral", + "value": "koreacentral" + }, + { + "label": "canadacentral", + "value": "canadacentral" + }, + { + "label": "francecentral", + "value": "francecentral" + }, + { + "label": "germanywestcentral", + "value": "germanywestcentral" + }, + { + "label": "italynorth", + "value": "italynorth" + }, + { + "label": "norwayeast", + "value": "norwayeast" + }, + { + "label": "polandcentral", + "value": "polandcentral" + }, + { + "label": "switzerlandnorth", + "value": "switzerlandnorth" + }, + { + "label": "uaenorth", + "value": "uaenorth" + }, + { + "label": "brazilsouth", + "value": "brazilsouth" + }, + { + "label": "centraluseuap", + "value": "centraluseuap" + }, + { + "label": "israelcentral", + "value": "israelcentral" + }, + { + "label": "qatarcentral", + "value": "qatarcentral" + }, + { + "label": "northcentralus", + "value": "northcentralus" + }, + { + "label": "westus", + "value": "westus" + }, + { + "label": "japanwest", + "value": "japanwest" + }, + { + "label": "eastus2euap", + "value": "eastus2euap" + }, + { + "label": "westcentralus", + "value": "westcentralus" + }, + { + "label": "southafricawest", + "value": "southafricawest" + }, + { + "label": "australiacentral", + "value": "australiacentral" + }, + { + "label": "australiacentral2", + "value": "australiacentral2" + }, + { + "label": "australiasoutheast", + "value": "australiasoutheast" + }, + { + "label": "koreasouth", + "value": "koreasouth" + }, + { + "label": "southindia", + "value": "southindia" + }, + { + "label": "westindia", + "value": "westindia" + }, + { + "label": "canadaeast", + "value": "canadaeast" + }, + { + "label": "francesouth", + "value": "francesouth" + }, + { + "label": "germanynorth", + "value": "germanynorth" + }, + { + "label": "norwaywest", + "value": "norwaywest" + }, + { + "label": "switzerlandwest", + "value": "switzerlandwest" + }, + { + "label": "ukwest", + "value": "ukwest" + }, + { + "label": "uaecentral", + "value": "uaecentral" + }, + { + "label": "brazilsoutheast", + "value": "brazilsoutheast" + } + ], + "toolTip": "Any non-global resources attempted to be deployed outsize of this region will be restricted.", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter Azure Regions...", + "constraints": { + "allowedValues": [ + { + "label": "eastus", + "value": "eastus" + }, + { + "label": "eastus2", + "value": "eastus2" + }, + { + "label": "southcentralus", + "value": "southcentralus" + }, + { + "label": "westus2", + "value": "westus2" + }, + { + "label": "westus3", + "value": "westus3" + }, + { + "label": "australiaeast", + "value": "australiaeast" + }, + { + "label": "southeastasia", + "value": "southeastasia" + }, + { + "label": "northeurope", + "value": "northeurope" + }, + { + "label": "swedencentral", + "value": "swedencentral" + }, + { + "label": "uksouth", + "value": "uksouth" + }, + { + "label": "westeurope", + "value": "westeurope" + }, + { + "label": "centralus", + "value": "centralus" + }, + { + "label": "southafricanorth", + "value": "southafricanorth" + }, + { + "label": "centralindia", + "value": "centralindia" + }, + { + "label": "eastasia", + "value": "eastasia" + }, + { + "label": "japaneast", + "value": "japaneast" + }, + { + "label": "koreacentral", + "value": "koreacentral" + }, + { + "label": "canadacentral", + "value": "canadacentral" + }, + { + "label": "francecentral", + "value": "francecentral" + }, + { + "label": "germanywestcentral", + "value": "germanywestcentral" + }, + { + "label": "italynorth", + "value": "italynorth" + }, + { + "label": "norwayeast", + "value": "norwayeast" + }, + { + "label": "polandcentral", + "value": "polandcentral" + }, + { + "label": "switzerlandnorth", + "value": "switzerlandnorth" + }, + { + "label": "uaenorth", + "value": "uaenorth" + }, + { + "label": "brazilsouth", + "value": "brazilsouth" + }, + { + "label": "centraluseuap", + "value": "centraluseuap" + }, + { + "label": "israelcentral", + "value": "israelcentral" + }, + { + "label": "qatarcentral", + "value": "qatarcentral" + }, + { + "label": "northcentralus", + "value": "northcentralus" + }, + { + "label": "westus", + "value": "westus" + }, + { + "label": "japanwest", + "value": "japanwest" + }, + { + "label": "eastus2euap", + "value": "eastus2euap" + }, + { + "label": "westcentralus", + "value": "westcentralus" + }, + { + "label": "southafricawest", + "value": "southafricawest" + }, + { + "label": "australiacentral", + "value": "australiacentral" + }, + { + "label": "australiacentral2", + "value": "australiacentral2" + }, + { + "label": "australiasoutheast", + "value": "australiasoutheast" + }, + { + "label": "koreasouth", + "value": "koreasouth" + }, + { + "label": "southindia", + "value": "southindia" + }, + { + "label": "westindia", + "value": "westindia" + }, + { + "label": "canadaeast", + "value": "canadaeast" + }, + { + "label": "francesouth", + "value": "francesouth" + }, + { + "label": "germanynorth", + "value": "germanynorth" + }, + { + "label": "norwaywest", + "value": "norwaywest" + }, + { + "label": "switzerlandwest", + "value": "switzerlandwest" + }, + { + "label": "ukwest", + "value": "ukwest" + }, + { + "label": "uaecentral", + "value": "uaecentral" + }, + { + "label": "brazilsoutheast", + "value": "brazilsoutheast" + } + ], + "required": true + }, + "visible": true + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523'), true, false)]" + }, + { + "name": "regPolicyParamSovBaseConf", + "type": "Microsoft.Common.Section", + "label": "Sovereignty Baseline - Confidential Policies - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamSovBaseConfNeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of Sovereignty Baseline - Confidential Policies that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParSovBaseConfRegions", + "type": "Microsoft.Common.DropDown", + "label": "The list of Azure Regions that are approved for usage", + "defaultValue": [ + { + "label": "eastus", + "value": "eastus" + }, + { + "label": "eastus2", + "value": "eastus2" + }, + { + "label": "southcentralus", + "value": "southcentralus" + }, + { + "label": "westus2", + "value": "westus2" + }, + { + "label": "westus3", + "value": "westus3" + }, + { + "label": "australiaeast", + "value": "australiaeast" + }, + { + "label": "southeastasia", + "value": "southeastasia" + }, + { + "label": "northeurope", + "value": "northeurope" + }, + { + "label": "swedencentral", + "value": "swedencentral" + }, + { + "label": "uksouth", + "value": "uksouth" + }, + { + "label": "westeurope", + "value": "westeurope" + }, + { + "label": "centralus", + "value": "centralus" + }, + { + "label": "southafricanorth", + "value": "southafricanorth" + }, + { + "label": "centralindia", + "value": "centralindia" + }, + { + "label": "eastasia", + "value": "eastasia" + }, + { + "label": "japaneast", + "value": "japaneast" + }, + { + "label": "koreacentral", + "value": "koreacentral" + }, + { + "label": "canadacentral", + "value": "canadacentral" + }, + { + "label": "francecentral", + "value": "francecentral" + }, + { + "label": "germanywestcentral", + "value": "germanywestcentral" + }, + { + "label": "italynorth", + "value": "italynorth" + }, + { + "label": "norwayeast", + "value": "norwayeast" + }, + { + "label": "polandcentral", + "value": "polandcentral" + }, + { + "label": "switzerlandnorth", + "value": "switzerlandnorth" + }, + { + "label": "uaenorth", + "value": "uaenorth" + }, + { + "label": "brazilsouth", + "value": "brazilsouth" + }, + { + "label": "centraluseuap", + "value": "centraluseuap" + }, + { + "label": "israelcentral", + "value": "israelcentral" + }, + { + "label": "qatarcentral", + "value": "qatarcentral" + }, + { + "label": "northcentralus", + "value": "northcentralus" + }, + { + "label": "westus", + "value": "westus" + }, + { + "label": "japanwest", + "value": "japanwest" + }, + { + "label": "eastus2euap", + "value": "eastus2euap" + }, + { + "label": "westcentralus", + "value": "westcentralus" + }, + { + "label": "southafricawest", + "value": "southafricawest" + }, + { + "label": "australiacentral", + "value": "australiacentral" + }, + { + "label": "australiacentral2", + "value": "australiacentral2" + }, + { + "label": "australiasoutheast", + "value": "australiasoutheast" + }, + { + "label": "koreasouth", + "value": "koreasouth" + }, + { + "label": "southindia", + "value": "southindia" + }, + { + "label": "westindia", + "value": "westindia" + }, + { + "label": "canadaeast", + "value": "canadaeast" + }, + { + "label": "francesouth", + "value": "francesouth" + }, + { + "label": "germanynorth", + "value": "germanynorth" + }, + { + "label": "norwaywest", + "value": "norwaywest" + }, + { + "label": "switzerlandwest", + "value": "switzerlandwest" + }, + { + "label": "ukwest", + "value": "ukwest" + }, + { + "label": "uaecentral", + "value": "uaecentral" + }, + { + "label": "brazilsoutheast", + "value": "brazilsoutheast" + } + ], + "toolTip": "Any non-global resources attempted to be deployed outsize of this region will be restricted.", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter Azure Regions...", + "constraints": { + "allowedValues": [ + { + "label": "eastus", + "value": "eastus" + }, + { + "label": "eastus2", + "value": "eastus2" + }, + { + "label": "southcentralus", + "value": "southcentralus" + }, + { + "label": "westus2", + "value": "westus2" + }, + { + "label": "westus3", + "value": "westus3" + }, + { + "label": "australiaeast", + "value": "australiaeast" + }, + { + "label": "southeastasia", + "value": "southeastasia" + }, + { + "label": "northeurope", + "value": "northeurope" + }, + { + "label": "swedencentral", + "value": "swedencentral" + }, + { + "label": "uksouth", + "value": "uksouth" + }, + { + "label": "westeurope", + "value": "westeurope" + }, + { + "label": "centralus", + "value": "centralus" + }, + { + "label": "southafricanorth", + "value": "southafricanorth" + }, + { + "label": "centralindia", + "value": "centralindia" + }, + { + "label": "eastasia", + "value": "eastasia" + }, + { + "label": "japaneast", + "value": "japaneast" + }, + { + "label": "koreacentral", + "value": "koreacentral" + }, + { + "label": "canadacentral", + "value": "canadacentral" + }, + { + "label": "francecentral", + "value": "francecentral" + }, + { + "label": "germanywestcentral", + "value": "germanywestcentral" + }, + { + "label": "italynorth", + "value": "italynorth" + }, + { + "label": "norwayeast", + "value": "norwayeast" + }, + { + "label": "polandcentral", + "value": "polandcentral" + }, + { + "label": "switzerlandnorth", + "value": "switzerlandnorth" + }, + { + "label": "uaenorth", + "value": "uaenorth" + }, + { + "label": "brazilsouth", + "value": "brazilsouth" + }, + { + "label": "centraluseuap", + "value": "centraluseuap" + }, + { + "label": "israelcentral", + "value": "israelcentral" + }, + { + "label": "qatarcentral", + "value": "qatarcentral" + }, + { + "label": "northcentralus", + "value": "northcentralus" + }, + { + "label": "westus", + "value": "westus" + }, + { + "label": "japanwest", + "value": "japanwest" + }, + { + "label": "eastus2euap", + "value": "eastus2euap" + }, + { + "label": "westcentralus", + "value": "westcentralus" + }, + { + "label": "southafricawest", + "value": "southafricawest" + }, + { + "label": "australiacentral", + "value": "australiacentral" + }, + { + "label": "australiacentral2", + "value": "australiacentral2" + }, + { + "label": "australiasoutheast", + "value": "australiasoutheast" + }, + { + "label": "koreasouth", + "value": "koreasouth" + }, + { + "label": "southindia", + "value": "southindia" + }, + { + "label": "westindia", + "value": "westindia" + }, + { + "label": "canadaeast", + "value": "canadaeast" + }, + { + "label": "francesouth", + "value": "francesouth" + }, + { + "label": "germanynorth", + "value": "germanynorth" + }, + { + "label": "norwaywest", + "value": "norwaywest" + }, + { + "label": "switzerlandwest", + "value": "switzerlandwest" + }, + { + "label": "ukwest", + "value": "ukwest" + }, + { + "label": "uaecentral", + "value": "uaecentral" + }, + { + "label": "brazilsoutheast", + "value": "brazilsoutheast" + } + ], + "required": true + }, + "visible": true + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea'), true, false)]" + }, + { + "name": "regPolicyParamSwift2020", + "type": "Microsoft.Common.Section", + "label": "SWIFT CSP-CSCF v2020 - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamParamSwift2020NeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of SWIFT CSP-CSCF v2020 that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParSwift2020VmAdminsInclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be included in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParSwift2020DomainFqdn", + "type": "Microsoft.Common.TextBox", + "label": "Domain Name (FQDN)", + "toolTip": "The fully qualified domain name (FQDN) that the Windows VMs should be joined to", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22'), true, false)]" + }, + { + "name": "regPolicyParamCanadaFedPbmm", + "type": "Microsoft.Common.Section", + "label": "Canada Federal PBMM - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamCanadaFedPbmmNeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of Canada Federal PBMM that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParCanadaFedPbmmVmAdminsInclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be included in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParCanadaFedPbmmVmAdminsExclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be excluded in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87'), true, false)]" + }, + { + "name": "regPolicyParamCisV2", + "type": "Microsoft.Common.Section", + "label": "CIS Microsoft Azure Foundations Benchmark v2.0.0 - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamCisV2NeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of CIS Microsoft Azure Foundations Benchmark v2.0.0 that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParCisV2KeyVaultKeysRotateDays", + "type": "Microsoft.Common.TextBox", + "label": "The maximum number of days before Keys in a Key Vault should be rotated.", + "toolTip": "Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.", + "constraints": { + "required": false + }, + "defaultValue": 90 + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/06f19060-9e68-4070-92ca-f15cc126059e'), true, false)]" + }, + { + "name": "regPolicyParamCmmcL3", + "type": "Microsoft.Common.Section", + "label": "CMMC Level 3 - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyCmmcL3NeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of CMMC Level 3 that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParCmmcL3VmAdminsInclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be included in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParCmmcL3VmAdminsExclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be excluded in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de'), true, false)]" + }, + { + "name": "regPolicyParamHitrustHipaa", + "type": "Microsoft.Common.Section", + "label": "HITRUST/HIPAA - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamHitrustHipaaNeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of HITRUST/HIPAA that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParHitrustHipaaCertificateThumb", + "type": "Microsoft.Common.TextBox", + "label": "Certificate thumbprints that should exist under the Trusted Root", + "toolTip": "A semicolon-separated list of certificate thumbprints that should exist under the Trusted Root certificate store (Cert:\\LocalMachine\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParHitrustHipaaApplicationName", + "type": "Microsoft.Common.TextBox", + "label": "Application names to be installed on VMs", + "toolTip": "A semicolon-separated list of the names of the applications that should be installed. e.g. 'python; powershell; Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL Server 2014*' (to match any application starting with 'Microsoft SQL Server 2014')'", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParHitrustHipaaStoragePrefix", + "type": "Microsoft.Common.TextBox", + "label": "Storage Account Prefix for Regional Storage Account to deploy diagnostic settings for Network Security Groups", + "toolTip": "This prefix will be combined with the network security group location to form the created storage account name.", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParHitrustHipaaResGroupPrefix", + "type": "Microsoft.Common.TextBox", + "label": "Resource Group Name for Storage Account to deploy diagnostic settings for Network Security Groups", + "toolTip": "The resource group that the storage account will be created in.", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab'), true, false)]" + }, + { + "name": "regPolicyParamIrs1075Sep2016", + "type": "Microsoft.Common.Section", + "label": "IRS1075 September 2016 - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyIrs1075Sep2016NeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of IRS1075 September 2016 that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParIrs1075Sep2016VmAdminsInclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be included in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParIrs1075Sep2016VmAdminsExclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be excluded in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d'), true, false)]" + }, + { + "name": "regPolicyParamNistSp800171R2", + "type": "Microsoft.Common.Section", + "label": "NIST SP 800-171 Rev. 2 - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyNistSp800171R2NeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of NIST SP 800-171 Rev. 2 that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParNistSp800171R2VmAdminsInclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be included in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParNistSp800171R2VmAdminsExclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be excluded in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9'), true, false)]" + }, + { + "name": "regPolicyParamNewZelandIsmRestricted", + "type": "Microsoft.Common.Section", + "label": "New Zealand ISM Restricted - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicyParamNewZelandIsmRestrictedNeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of New Zeland ISM Restricted that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParNZIsmRestrictedVmAdminsInclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be included in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be included in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + }, + { + "name": "regCompPolParNZIsmRestrictedVmAdminsExclude", + "type": "Microsoft.Common.TextBox", + "label": "List of users that must be excluded in Windows VM Administrators group", + "toolTip": "A semicolon-separated list of users that should be excluded in the Administrators local group; Ex: Administrator; myUser1; myUser2", + "constraints": { + "required": false + } + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a'), true, false)]" + }, + { + "name": "regPolicyParamSoc2Type2", + "type": "Microsoft.Common.Section", + "label": "SOC 2 Type 2 - Required Policy Initative Parameters", + "elements": [ + { + "name": "regCompliancePolicySoc2Type2NeededWarn", + "type": "Microsoft.Common.InfoBox", + "visible": "true", + "options": { + "text": "You have selected the Regulatory Policy Initaitve of SOC 2 Type 2 that requires values for specific parameter values to be set. Please ensure you set the values for the required parameters for the policy in the below section.", + "style": "Warning" + } + }, + { + "name": "regCompPolParSoc2Type2AllowedRegistries", + "type": "Microsoft.Common.TextBox", + "label": "AKS + Arc K8s - Allowed registry or registries regex", + "toolTip": "The RegEx rule used to match allowed container image field in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^[^\\/]+\\.azurecr\\.io\\/.+$ and for multiple registries: ^([^\\/]+\\.azurecr\\.io|registry\\.io)\\/.+$", + "constraints": { + "required": false + }, + "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$" + }, + { + "name": "regCompPolParSoc2Type2MaxCpuUnits", + "type": "Microsoft.Common.TextBox", + "label": "AKS + Arc K8s - Max allowed CPU units", + "toolTip": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits ", + "constraints": { + "required": false + }, + "defaultValue": "200m" + }, + { + "name": "regCompPolParSoc2Type2MaxMemoryBytes", + "type": "Microsoft.Common.TextBox", + "label": "AKS + Arc K8s - Max allowed memory bytes", + "toolTip": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits ", + "constraints": { + "required": false + }, + "defaultValue": "1Gi" + } + ], + "visible": "[if(contains(map(steps('regulatory').regComplianceSelectorFull, (item) => item.policy.id), '/providers/Microsoft.Authorization/policySetDefinitions/4054785f-702b-4a98-9215-009cbd58b141'), true, false)]" + } + ] + } + ] + }, + "outputs": { + "parameters": { + "enterpriseScaleCompanyPrefix": "[steps('core').enterpriseScaleCompanyPrefix]", + "singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]", + "denyClassicResources": "[steps('core').denyClassicResources]", + "denyVMUnmanagedDisk": "[steps('core').denyVMUnmanagedDisk]", + "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]", + "enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]", + "enforceBackupPlat": "[steps('management').esPlatformMgmtGroup.enforceBackupPlat]", + "enableLogAnalytics": "[steps('management').enableLogAnalytics]", + "enableChangeTracking": "[steps('management').enableChangeTracking]", + "enableUpdateMgmt": "[steps('management').enableUpdateMgmt]", + "enableVmInsights": "[steps('management').enableVmInsights]", + "retentionInDays": "[string(steps('management').retentionInDays)]", + "enableSentinel": "[steps('management').enableSentinel]", + "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]", "enableAsc": "[steps('management').enableAsc]", "emailContactAsc": "[steps('management').emailContactAsc]", "enableAscForServers": "[steps('management').enableAscForServers]", + "enableAscForServersVulnerabilityAssessments": "[steps('management').enableAscForServersVulnerabilityAssessments]", "enableAscForOssDb": "[steps('management').enableAscForOssDb]", "enableAscForCosmosDbs": "[steps('management').enableAscForCosmosDbs]", "enableAscForAppServices": "[steps('management').enableAscForAppServices]", @@ -2665,24 +9006,26 @@ "enableAscForSqlOnVm": "[steps('management').enableAscForSqlOnVm]", "enableAscForKeyVault": "[steps('management').enableAscForKeyVault]", "enableAscForArm": "[steps('management').enableAscForArm]", - "enableAscForDns": "[steps('management').enableAscForDns]", + "enableAscForApis": "[steps('management').enableAscForApis]", + "enableAscForCspm": "[steps('management').enableAscForCspm]", "enableAscForContainers": "[steps('management').enableAscForContainers]", - "enableSecuritySolution": "[steps('management').enableSecuritySolution]", - "enableAzOps": "[steps('automation').enableAzOps]", - "gitHubUserNameOrOrg": "[steps('automation').gitHubUserNameOrOrg]", - "repositoryName": "[steps('automation').repositoryName]", - "paToken": "[steps('automation').paToken]", - "principalId": "[steps('automation').spnSection.esServicePrincipal.objectId]", - "principalSecret": "[steps('automation').spnSection.esServicePrincipal.password]", - "appId": "[steps('automation').spnSection.esServicePrincipal.appId]", - "azOpsSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]", + "enableMDEndpoints": "[steps('management').enableMDEndpoints]", + "enableMonitorBaselines": "[steps('monitor').enableMonitorBaselines]", + "monitorAlertsResourceGroup": "[steps('monitor').monitorAlertsResourceGroup]", + "emailContactActionGroup": "[steps('monitor').emailContactActionGroup]", + "enableMonitorConnectivity": "[steps('monitor').enableMonitorConnectivity]", + "enableMonitorIdentity": "[steps('monitor').enableMonitorIdentity]", + "enableMonitorManagement": "[steps('monitor').enableMonitorManagement]", + "enableMonitorLandingZones": "[steps('monitor').enableMonitorLandingZones]", "connectivitySubscriptionId": "[if(not(equals(steps('connectivity').esNwSubSection.esNwSub,steps('management').esMgmtSubSection.esMgmtSub)),steps('connectivity').esNwSubSection.esNwSub,'')]", "addressPrefix": "[coalesce(steps('connectivity').esAddressHubVWAN, steps('connectivity').esAddressHubHS, '')]", "connectivityLocation": "[steps('connectivity').connectivityLocation]", "enableDdoS": "[steps('connectivity').enableDdoS]", "enablePrivateDnsZones": "[steps('connectivity').enablePrivateDnsZones]", + "privateDnsZonesToDeploy": "[steps('connectivity').privateDnsZones]", "enableVpnGw": "[steps('connectivity').enableVpnGw]", "gwRegionalOrAz": "[steps('connectivity').gwRegionalOrAz]", + "enableVpnActiveActive": "[steps('connectivity').enableVpnActiveActive]", "gwRegionalSku": "[coalesce(steps('connectivity').gwRegionalSku, steps('connectivity').esGwNoAzSku)]", "gwAzSku": "[steps('connectivity').gwAzSku]", "vpnGateWayScaleUnit": "[steps('connectivity').vpnGateWayScaleUnit]", @@ -2694,42 +9037,166 @@ "expressRouteScaleUnit": "[steps('connectivity').expressRouteScaleUnit]", "enableHub": "[steps('connectivity').enableHub]", "enableAzFw": "[steps('connectivity').enableAzFw]", - "enableAzFwDnsProxy": "[steps('connectivity').enableAzFwDnsProxy]", + "enableAzFwDnsProxy": "[if(equals(steps('connectivity').firewallSku, 'Basic'), 'No', steps('connectivity').enableAzFwDnsProxy)]", "firewallSku": "[steps('connectivity').firewallSku]", "firewallZones": "[steps('connectivity').firewallZones]", "subnetMaskForAzFw": "[steps('connectivity').subnetMaskForAzFw]", + "subnetMaskForAzFwMgmt": "[steps('connectivity').subnetMaskForAzFwMgmt]", + "enablevWANRoutingIntent": "[steps('connectivity').enablevWANRoutingIntent]", + "internetTrafficRoutingPolicy": "[if(equals(steps('connectivity').vWANRoutingIntentforInternetTraffic, 'Yes'), 'true', 'false')]", + "privateTrafficRoutingPolicy": "[if(equals(steps('connectivity').vWANRoutingIntentforPrivateTraffic, 'Yes'), 'true', 'false')]", + "vWANHubRoutingPreference": "[steps('connectivity').vWANHubRoutingPreference]", + "vWANHubCapacity": "[steps('connectivity').vWANHubCapacity]", + "addressPrefixSecondary": "[coalesce(steps('connectivity').esNetworkSecondarySubSection.esAddressHubVWANSecondary, steps('connectivity').esNetworkSecondarySubSection.esAddressHubHSSecondary, '')]", + "connectivityLocationSecondary": "[steps('connectivity').esNetworkSecondarySubSection.connectivityLocationSecondary]", + "enablePrivateDnsZonesSecondary": "No", + "privateDnsZonesToDeploySecondary": null, + "enableVpnGwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableVpnGwSecondary]", + "gwRegionalOrAzSecondary": "[steps('connectivity').esNetworkSecondarySubSection.gwRegionalOrAzSecondary]", + "enableVpnActiveActiveSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableVpnActiveActiveSecondary]", + "gwRegionalSkuSecondary": "[coalesce(steps('connectivity').esNetworkSecondarySubSection.gwRegionalSkuSecondary, steps('connectivity').esNetworkSecondarySubSection.esGwNoAzSkuSecondary)]", + "gwAzSkuSecondary": "[steps('connectivity').esNetworkSecondarySubSection.gwAzSkuSecondary]", + "vpnGateWayScaleUnitSecondary": "[steps('connectivity').esNetworkSecondarySubSection.vpnGateWayScaleUnitSecondary]", + "subnetMaskForGwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.subnetMaskForGwSecondary]", + "enableErGwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableErGwSecondary]", + "erAzSkuSecondary": "[steps('connectivity').esNetworkSecondarySubSection.erAzSkuSecondary]", + "erRegionalSkuSecondary": "[coalesce(steps('connectivity').esNetworkSecondarySubSection.erRegionalSkuSecondary, steps('connectivity').esNetworkSecondarySubSection.esErNoAzSkuSecondary)]", + "erRegionalOrAzSecondary": "[steps('connectivity').esNetworkSecondarySubSection.erRegionalOrAzSecondary]", + "expressRouteScaleUnitSecondary": "[steps('connectivity').esNetworkSecondarySubSection.expressRouteScaleUnitSecondary]", + "enableSecondaryRegion": "[steps('core').deploySecondaryRegion]", + "enableHubSecondary": "[steps('connectivity').enableHub]", + "enableAzFwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enableAzFwSecondary]", + "enableAzFwDnsProxySecondary": "[if(equals(steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary, 'Basic'), 'No', steps('connectivity').esNetworkSecondarySubSection.enableAzFwDnsProxySecondary)]", + "firewallSkuSecondary": "[steps('connectivity').esNetworkSecondarySubSection.firewallSkuSecondary]", + "firewallZonesSecondary": "[steps('connectivity').esNetworkSecondarySubSection.firewallZonesSecondary]", + "subnetMaskForAzFwSecondary": "[steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwSecondary]", + "subnetMaskForAzFwMgmtSecondary": "[steps('connectivity').esNetworkSecondarySubSection.subnetMaskForAzFwMgmtSecondary]", + "enablevWANRoutingIntentSecondary": "[steps('connectivity').esNetworkSecondarySubSection.enablevWANRoutingIntentSecondary]", + "internetTrafficRoutingPolicySecondary": "[if(equals(steps('connectivity').esNetworkSecondarySubSection.vWANRoutingIntentforInternetTrafficSecondary, 'Yes'), 'true', 'false')]", + "privateTrafficRoutingPolicySecondary": "[if(equals(steps('connectivity').esNetworkSecondarySubSection.vWANRoutingIntentforPrivateTrafficSecondary, 'Yes'), 'true', 'false')]", + "vWANHubRoutingPreferenceSecondary": "[steps('connectivity').esNetworkSecondarySubSection.vWANHubRoutingPreferenceSecondary]", + "vWANHubCapacitySecondary": "[steps('connectivity').esNetworkSecondarySubSection.vWANHubCapacitySecondary]", "identitySubscriptionId": "[if(or(not(equals(steps('identity').esIdentitySubSection.esIdentitySub,steps('management').esMgmtSubSection.esMgmtSub)),not(equals(steps('identity').esIdentitySubSection.esIdentitySub,steps('connectivity').esNwSubSection.esNwSub))),steps('identity').esIdentitySubSection.esIdentitySub,'')]", - "denyRdpForIdentity": "[steps('identity').denyRdpForIdentity]", + "denyMgmtPortsForIdentity": "[steps('identity').denyMgmtPortsForIdentity]", "denySubnetWithoutNsgForIdentity": "[steps('identity').denySubnetWithoutNsgForIdentity]", "denyPipForIdentity": "[steps('identity').denyPipForIdentity]", "enableVmBackupForIdentity": "[steps('identity').enableVmBackupForIdentity]", "identityAddressPrefix": "[steps('identity').identityAddressPrefix]", - "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('landingZones').esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').lzConnectedSubs,'')]", - "corpLzSubscriptionId": "[if(or(not(contains(steps('landingZones').esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').esCorpLzSub,'')]", - "onlineLzSubscriptionId": "[if(or(not(contains(steps('landingZones').esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').esOnlineLzSub,'')]", - "enableLzDdoS": "[steps('landingZones').enableLzDdoS]", - "denyPublicEndpoints": "[steps('landingZones').denyPublicEndpoints]", - "enablePrivateDnsZonesForLzs": "[steps('landingZones').enablePrivateDnsZonesForLzs]", - "enableEncryptionInTransit": "[steps('landingZones').enableEncryptionInTransit]", - "enableVmMonitoring": "[steps('landingZones').enableVmMonitoring]", - "enableVmssMonitoring": "[steps('landingZones').enableVmssMonitoring]", - "enableAksPolicy": "[steps('landingZones').enableAksPolicy]", - "denyAksPrivileged": "[steps('landingZones').denyAksPrivileged]", - "denyAksPrivilegedEscalation": "[steps('landingZones').denyAksPrivilegedEscalation]", - "denyHttpIngressForAks": "[steps('landingZones').denyHttpIngressForAks]", - "denyDatabricksPip": "[steps('landingZones').denyDatabricksPip]", - "denyDatabricksVnet": "[steps('landingZones').denyDatabricksVnet]", - "denyDatabricksSku": "[steps('landingZones').denyDatabricksSku]", - "enableVmBackup": "[steps('landingZones').enableVmBackup]", - "denyRdp": "[steps('landingZones').denyRdp]", - "denySubnetWithoutNsg": "[steps('landingZones').denySubnetWithoutNsg]", - "denyIpForwarding": "[steps('landingZones').denyIpForwarding]", - "enableSqlEncryption": "[steps('landingZones').enableSqlEncryption]", - "enableSqlAudit": "[steps('landingZones').enableSqlAudit]", - "enableStorageHttps": "[steps('landingZones').enableStorageHttps]" + "identityAddressPrefixSecondary": "[steps('identity').esIdentitySecondarySubSection.identityAddressPrefixSecondary]", + "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.lzConnectedSubs,'')]", + "corpLzSubscriptionId": "[if(or(not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').corpSection.esCorpLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').corpSection.esCorpLzSub,'')]", + "onlineLzSubscriptionId": "[if(or(not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('management').esMgmtSubSection.esMgmtSub)),not(contains(steps('landingZones').onlineSection.esOnlineLzSub,steps('connectivity').esNwSubSection.esNwSub))),steps('landingZones').onlineSection.esOnlineLzSub,'')]", + "enableLzDdoS": "[steps('landingZones').lzSection.enableLzDdoS]", + "denyPublicEndpoints": "[steps('landingZones').corpSection.denyPublicEndpoints]", + "denyPipOnNicForCorp": "[steps('landingZones').corpSection.denyPipOnNicForCorp]", + "enablePrivateDnsZonesForLzs": "[steps('landingZones').lzSection.enablePrivateDnsZonesForLzs]", + "enableEncryptionInTransit": "[steps('landingZones').lzSection.enableEncryptionInTransit]", + "enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]", + "enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]", + "enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]", + "enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]", + "denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]", + "denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]", + "denyHttpIngressForAks": "[steps('landingZones').lzSection.denyHttpIngressForAks]", + "enableVmBackup": "[steps('landingZones').lzSection.enableVmBackup]", + "denyMgmtPorts": "[steps('landingZones').lzSection.denyMgmtPorts]", + "denySubnetWithoutNsg": "[steps('landingZones').lzSection.denySubnetWithoutNsg]", + "denyIpForwarding": "[steps('landingZones').lzSection.denyIpForwarding]", + "enableSqlEncryption": "[steps('landingZones').lzSection.enableSqlEncryption]", + "enableSqlThreat": "[steps('landingZones').lzSection.enableSqlThreat]", + "enableSqlAudit": "[steps('landingZones').lzSection.enableSqlAudit]", + "enableStorageHttps": "[steps('landingZones').lzSection.enableStorageHttps]", + "enforceKvGuardrails": "[steps('landingZones').lzSection.enforceKvGuardrails]", + "enforceBackup": "[steps('landingZones').lzSection.enforceBackup]", + "denyHybridNetworking": "[steps('landingZones').corpSection.denyHybridNetworking]", + "auditPeDnsZones": "[steps('landingZones').corpSection.auditPeDnsZones]", + "auditAppGwWaf": "[steps('landingZones').lzSection.auditAppGwWaf]", + "enforceAcsb": "[steps('landingZones').lzSection.enforceAcsb]", + "enableDecommissioned": "[steps('decommissionedSandboxZones').decommSection.enableDecommissioned]", + "enableSandbox": "[steps('decommissionedSandboxZones').sandboxSection.enableSandbox]", + "enableWsCMKInitiatives": "[steps('workloadspecific').enableWsCMKInitiatives]", + "wsCMKSelectorMG": "[steps('workloadspecific').wsCMKSelectorMG]", + "enableWsAPIMInitiatives": "[steps('workloadspecific').enableWsAPIMInitiatives]", + "wsAPIMSelectorMG": "[steps('workloadspecific').wsAPIMSelectorMG]", + "enableWsAppServicesInitiatives": "[steps('workloadspecific').enableWsAppServicesInitiatives]", + "wsAppServicesSelectorMG": "[steps('workloadspecific').wsAppServicesSelectorMG]", + "enableWsAutomationInitiatives": "[steps('workloadspecific').enableWsAutomationInitiatives]", + "wsAutomationSelectorMG": "[steps('workloadspecific').wsAutomationSelectorMG]", + "enableWsCognitiveServicesInitiatives": "[steps('workloadspecific').enableWsCognitiveServicesInitiatives]", + "wsCognitiveServicesSelectorMG": "[steps('workloadspecific').wsCognitiveServicesSelectorMG]", + "enableWsComputeInitiatives": "[steps('workloadspecific').enableWsComputeInitiatives]", + "wsComputeSelectorMG": "[steps('workloadspecific').wsComputeSelectorMG]", + "enableWsContainerAppsInitiatives": "[steps('workloadspecific').enableWsContainerAppsInitiatives]", + "wsContainerAppsSelectorMG": "[steps('workloadspecific').wsContainerAppsSelectorMG]", + "enableWsContainerInstanceInitiatives": "[steps('workloadspecific').enableWsContainerInstanceInitiatives]", + "wsContainerInstanceSelectorMG": "[steps('workloadspecific').wsContainerInstanceSelectorMG]", + "enableWsContainerRegistryInitiatives": "[steps('workloadspecific').enableWsContainerRegistryInitiatives]", + "wsContainerRegistrySelectorMG": "[steps('workloadspecific').wsContainerRegistrySelectorMG]", + "enableWsCosmosDbInitiatives": "[steps('workloadspecific').enableWsCosmosDbInitiatives]", + "wsCosmosDbSelectorMG": "[steps('workloadspecific').wsCosmosDbSelectorMG]", + "enableWsDataExplorerInitiatives": "[steps('workloadspecific').enableWsDataExplorerInitiatives]", + "wsDataExplorerSelectorMG": "[steps('workloadspecific').wsDataExplorerSelectorMG]", + "enableWsDataFactoryInitiatives": "[steps('workloadspecific').enableWsDataFactoryInitiatives]", + "wsDataFactorySelectorMG": "[steps('workloadspecific').wsDataFactorySelectorMG]", + "enableWsEventGridInitiatives": "[steps('workloadspecific').enableWsEventGridInitiatives]", + "wsEventGridSelectorMG": "[steps('workloadspecific').wsEventGridSelectorMG]", + "enableWsEventHubInitiatives": "[steps('workloadspecific').enableWsEventHubInitiatives]", + "wsEventHubSelectorMG": "[steps('workloadspecific').wsEventHubSelectorMG]", + "enableWsKeyVaultSupInitiatives": "[steps('workloadspecific').enableWsKeyVaultSupInitiatives]", + "wsKeyVaultSupSelectorMG": "[steps('workloadspecific').wsKeyVaultSupSelectorMG]", + "enableWsKubernetesInitiatives": "[steps('workloadspecific').enableWsKubernetesInitiatives]", + "wsKubernetesSelectorMG": "[steps('workloadspecific').wsKubernetesSelectorMG]", + "enableWsMachineLearningInitiatives": "[steps('workloadspecific').enableWsMachineLearningInitiatives]", + "wsMachineLearningSelectorMG": "[steps('workloadspecific').wsMachineLearningSelectorMG]", + "enableWsNetworkInitiatives": "[steps('workloadspecific').enableWsNetworkInitiatives]", + "wsNetworkSelectorMG": "[steps('workloadspecific').wsNetworkSelectorMG]", + "enableWsOpenAIInitiatives": "[steps('workloadspecific').enableWsOpenAIInitiatives]", + "wsOpenAISelectorMG": "[steps('workloadspecific').wsOpenAISelectorMG]", + "enableWsPostgreSQLInitiatives": "[steps('workloadspecific').enableWsPostgreSQLInitiatives]", + "wsPostgreSQLSelectorMG": "[steps('workloadspecific').wsPostgreSQLSelectorMG]", + "enableWsServiceBusInitiatives": "[steps('workloadspecific').enableWsServiceBusInitiatives]", + "wsServiceBusSelectorMG": "[steps('workloadspecific').wsServiceBusSelectorMG]", + "enableWsSQLInitiatives": "[steps('workloadspecific').enableWsSQLInitiatives]", + "wsSQLSelectorMG": "[steps('workloadspecific').wsSQLSelectorMG]", + "enableWsStorageInitiatives": "[steps('workloadspecific').enableWsStorageInitiatives]", + "wsStorageSelectorMG": "[steps('workloadspecific').wsStorageSelectorMG]", + "enableWsSynapseInitiatives": "[steps('workloadspecific').enableWsSynapseInitiatives]", + "wsSynapseSelectorMG": "[steps('workloadspecific').wsSynapseSelectorMG]", + "enableWsVirtualDesktopInitiatives": "[steps('workloadspecific').enableWsVirtualDesktopInitiatives]", + "wsVirtualDesktopSelectorMG": "[steps('workloadspecific').wsVirtualDesktopSelectorMG]", + "regulatoryComplianceInitativesToAssign": "[steps('regulatory').regComplianceSelectorFull]", + "regCompPolParAusGovIsmRestrictedVmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamAusGovIsmRestricted.regCompPolParAusGovIsmRestrictedVmAdminsExclude, '')]", + "regCompPolParAusGovIsmRestrictedResourceTypes": "[steps('regulatory').regPolicyParamAusGovIsmRestricted.regCompPolParAusGovIsmRestrictedResourceTypes]", + "regCompPolParMPAACertificateThumb": "[coalesce(steps('regulatory').regPolicyParamMPAA.regCompPolParMPAACertificateThumb, '')]", + "regCompPolParMPAAApplicationName": "[coalesce(steps('regulatory').regPolicyParamMPAA.regCompPolParMPAAApplicationName, '')]", + "regCompPolParMPAAStoragePrefix": "[coalesce(steps('regulatory').regPolicyParamMPAA.regCompPolParMPAAStoragePrefix, '')]", + "regCompPolParMPAAResGroupPrefix": "[coalesce(steps('regulatory').regPolicyParamMPAA.regCompPolParMPAAResGroupPrefix, '')]", + "regCompPolParMPAARBatchMetricName": "[coalesce(steps('regulatory').regPolicyParamMPAA.regCompPolParMPAARBatchMetricName, '')]", + "regCompPolParSovBaseGlobalRegions": "[steps('regulatory').regPolicyParamSovBaseGlobal.regCompPolParSovBaseGlobalRegions]", + "regCompPolParSovBaseConfRegions": "[steps('regulatory').regPolicyParamSovBaseConf.regCompPolParSovBaseConfRegions]", + "regCompPolParSwift2020VmAdminsInclude": "[coalesce(steps('regulatory').regPolicyParamSwift2020.regCompPolParSwift2020VmAdminsInclude, '')]", + "regCompPolParSwift2020DomainFqdn": "[coalesce(steps('regulatory').regPolicyParamSwift2020.regCompPolParSwift2020DomainFqdn, '')]", + "regCompPolParCanadaFedPbmmVmAdminsInclude": "[coalesce(steps('regulatory').regPolicyParamCanadaFedPbmm.regCompPolParCanadaFedPbmmVmAdminsInclude, '')]", + "regCompPolParCanadaFedPbmmVmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamCanadaFedPbmm.regCompPolParCanadaFedPbmmVmAdminsExclude, '')]", + "regCompPolParCisV2KeyVaultKeysRotateDays": "[coalesce(steps('regulatory').regPolicyParamCisV2.regCompPolParCisV2KeyVaultKeysRotateDays, 90)]", + "regCompPolParCmmcL3VmAdminsInclude": "[coalesce(steps('regulatory').regPolicyParamCmmcL3.regCompPolParCmmcL3VmAdminsInclude, '')]", + "regCompPolParCmmcL3VmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamCmmcL3.regCompPolParCmmcL3VmAdminsExclude, '')]", + "regCompPolParHitrustHipaaCertificateThumb": "[coalesce(steps('regulatory').regPolicyParamHitrustHipaa.regCompPolParHitrustHipaaCertificateThumb, '')]", + "regCompPolParHitrustHipaaApplicationName": "[coalesce(steps('regulatory').regPolicyParamHitrustHipaa.regCompPolParHitrustHipaaApplicationName, '')]", + "regCompPolParHitrustHipaaStoragePrefix": "[coalesce(steps('regulatory').regPolicyParamHitrustHipaa.regCompPolParHitrustHipaaStoragePrefix, '')]", + "regCompPolParHitrustHipaaResGroupPrefix": "[coalesce(steps('regulatory').regPolicyParamHitrustHipaa.regCompPolParHitrustHipaaResGroupPrefix, '')]", + "regCompPolParIrs1075Sep2016VmAdminsInclude": "[coalesce(steps('regulatory').regPolicyParamIrs1075Sep2016.regCompPolParIrs1075Sep2016VmAdminsInclude, '')]", + "regCompPolParIrs1075Sep2016VmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamIrs1075Sep2016.regCompPolParIrs1075Sep2016VmAdminsExclude, '')]", + "regCompPolParNistSp800171R2VmAdminsInclude": "[coalesce(steps('regulatory').regPolicyParamNistSp800171R2.regCompPolParNistSp800171R2VmAdminsInclude, '')]", + "regCompPolParNistSp800171R2VmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamNistSp800171R2.regCompPolParNistSp800171R2VmAdminsExclude, '')]", + "regCompPolParNZIsmRestrictedVmAdminsInclude": "[coalesce(steps('regulatory').regPolicyParamNewZelandIsmRestricted.regCompPolParNZIsmRestrictedVmAdminsInclude, '')]", + "regCompPolParNZIsmRestrictedVmAdminsExclude": "[coalesce(steps('regulatory').regPolicyParamNewZelandIsmRestricted.regCompPolParNZIsmRestrictedVmAdminsExclude, '')]", + "regCompPolParSoc2Type2AllowedRegistries": "[coalesce(steps('regulatory').regPolicyParamSoc2Type2.regCompPolParSoc2Type2AllowedRegistries, '')]", + "regCompPolParSoc2Type2MaxCpuUnits": "[coalesce(steps('regulatory').regPolicyParamSoc2Type2.regCompPolParSoc2Type2MaxCpuUnits, '')]", + "regCompPolParSoc2Type2MaxMemoryBytes": "[coalesce(steps('regulatory').regPolicyParamSoc2Type2.regCompPolParSoc2Type2MaxMemoryBytes, '')]" }, "kind": "Tenant", "location": "[steps('basics').resourceScope.location.name]" } } -} \ No newline at end of file +} diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 11d6b51b81..c0ea0b7c36 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -40,6 +40,10 @@ "type": "string", "defaultValue": "" }, + "enableSentinel": { + "type": "string", + "defaultValue": "Yes" + }, "managementSubscriptionId": { "type": "string", "defaultValue": "", @@ -48,14 +52,6 @@ "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for management. If you don't want to bring a subscription, leave this parameter empty as is." } }, - "enableAgentHealth": { - "type": "string", - "defaultValue": "No", - "allowedValues": [ - "Yes", - "No" - ] - }, "enableChangeTracking": { "type": "string", "defaultValue": "No", @@ -80,38 +76,6 @@ ], "defaultValue": "Yes" }, - "enableServiceMap": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes" - }, - "enableSqlAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes" - }, - "enableSqlVulnerabilityAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes" - }, - "enableSqlAdvancedThreatProtection": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes" - }, "enableAsc": { "type": "string", "defaultValue": "No", @@ -138,6 +102,14 @@ "Disabled" ] }, + "enableAscForServersVulnerabilityAssessments": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, "enableAscForOssDb": { "type": "string", "allowedValues": [ @@ -202,7 +174,7 @@ ], "defaultValue": "Disabled" }, - "enableAscForDns": { + "enableAscForApis": { "type": "string", "allowedValues": [ "Disabled", @@ -210,7 +182,7 @@ ], "defaultValue": "Disabled" }, - "enableAscForContainers": { + "enableAscForCspm": { "type": "string", "allowedValues": [ "Disabled", @@ -218,50 +190,78 @@ ], "defaultValue": "Disabled" }, - "enableSecuritySolution": { + "enableAscForContainers": { "type": "string", - "defaultValue": "No", "allowedValues": [ - "Yes", - "No" - ] + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" }, - "enableAzOps": { + "enableMDEndpoints": { "type": "string", "allowedValues": [ - "Yes", - "No" + "Disabled", + "DeployIfNotExists", + "AuditIfNotExists" ], - "defaultValue": "No" + "defaultValue": "Disabled" }, - "gitHubUserNameOrOrg": { + "enableMonitorBaselines": { "type": "string", - "defaultValue": "" + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for Service Health in your environment. If 'No', it will be ignored." + } }, - "repositoryName": { + "enableMonitorConnectivity": { "type": "string", - "defaultValue": "" + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select connectivity resources in your environment. If 'No', it will be ignored." + } }, - "paToken": { - "type": "securestring", - "defaultValue": "" + "enableMonitorIdentity": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select identity resources in your environment. If 'No', it will be ignored." + } }, - "principalId": { - "type": "array", - "defaultValue": [] + "enableMonitorManagement": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select management resources in your environment. If 'No', it will be ignored." + } }, - "principalSecret": { - "type": "securestring", - "defaultValue": "" + "enableMonitorLandingZones": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "If 'Yes' is selected, ARM will assign a policy initiative to deploy alerting for select resources in your environment. If 'No', it will be ignored." + } }, - "appId": { + "monitorAlertsResourceGroup": { "type": "string", - "defaultValue": "" + "defaultValue": "", + "maxLength": 90, + "metadata": { + "description": "Name of the resource group to be created for monitoring resources in each subscription." + } }, - "azOpsSubscriptionId": { + "emailContactActionGroup": { "type": "string", "defaultValue": "", - "maxLength": 36 + "maxLength": 36, + "metadata": { + "description": "Email address for alerting purposes." + } }, "connectivitySubscriptionId": { "type": "string", @@ -296,6 +296,10 @@ "No" ] }, + "privateDnsZonesToDeploy": { + "type": "array", + "defaultValue": [] + }, "enableVpnGw": { "type": "string", "defaultValue": "No", @@ -304,6 +308,14 @@ "No" ] }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "gwRegionalOrAz": { "type": "string", "defaultValue": "" @@ -377,6 +389,7 @@ "firewallSku": { "type": "string", "allowedValues": [ + "Basic", "Standard", "Premium" ], @@ -390,190 +403,416 @@ "type": "string", "defaultValue": "" }, - "identitySubscriptionId": { - "type": "string", - "defaultValue": "", - "maxLength": 36, - "metadata": { - "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for identity." - } - }, - "denyRdpForIdentity": { - "type": "string", - "allowedValues": [ - "Yes", - "Audit", - "No" - ], - "defaultValue": "No" - }, - "denySubnetWithoutNsgForIdentity": { - "type": "string", - "allowedValues": [ - "Yes", - "Audit", - "No" - ], - "defaultValue": "No" - }, - "denyPipForIdentity": { + "subnetMaskForAzFwMgmt": { "type": "string", - "allowedValues": [ - "Yes", - "Audit", - "No" - ], - "defaultValue": "No" + "defaultValue": "" }, - "enableVmBackupForIdentity": { + "enablevWANRoutingIntent": { "type": "string", "allowedValues": [ "Yes", - "Audit", "No" ], "defaultValue": "No" }, - "identityAddressPrefix": { - "type": "string", - "defaultValue": "" + "internetTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } }, - "corpConnectedLzSubscriptionId": { - "type": "array", - "defaultValue": [], + "privateTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": false, "metadata": { - "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub." + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" } }, - "corpLzSubscriptionId": { - "type": "array", - "defaultValue": [], + "vWANHubRoutingPreference": { + "type": "string", + "defaultValue": "ExpressRoute", "metadata": { - "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones." + "description": "vWAN Hub Routing Preference" } }, - "onlineLzSubscriptionId": { - "type": "array", - "defaultValue": [], + "vWANHubCapacity": { + "type": "string", + "defaultValue": "2", "metadata": { - "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones." + "description": "vWAN Hub Capacity" } }, - "enableLzDdoS": { + "addressPrefixSecondary": { "type": "string", - "defaultValue": "No", - "allowedValues": [ - "Yes", - "Audit", - "No" - ] + "defaultValue": "" }, - "denyPublicEndpoints": { + "connectivityLocationSecondary": { + "type": "string", + "defaultValue": "[deployment().location]" + }, + "enablePrivateDnsZonesSecondary": { "type": "string", "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" ] }, - "enablePrivateDnsZonesForLzs": { + "privateDnsZonesToDeploySecondary": { + "type": "array", + "defaultValue": [] + }, + "enableVpnGwSecondary": { "type": "string", "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" ] }, - "enableEncryptionInTransit": { + "enableVpnActiveActiveSecondary": { "type": "string", "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" ] }, - "enableVmMonitoring": { + "gwRegionalOrAzSecondary": { "type": "string", - "defaultValue": "No", - "allowedValues": [ - "Yes", - "Audit", - "No" - ], - "metadata": { - "description": "If 'Yes' is selected, policy will be assigned to enforce VM monitoring." - } + "defaultValue": "" }, - "enableVmssMonitoring": { + "gwRegionalSkuSecondary": { "type": "string", - "defaultValue": "No", - "allowedValues": [ - "Yes", - "Audit", - "No" - ], - "metadata": { - "description": "If 'Yes' is selected, policy will be assigned to enforce VMSS monitoring." - } + "defaultValue": "" }, - "enableAksPolicy": { + "gwAzSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "vpnGateWayScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "subnetMaskForGwSecondary": { + "type": "string", + "defaultValue": "" + }, + "enableErGwSecondary": { "type": "string", "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" ] }, - "denyAksPrivileged": { + "erAzSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSkuSecondary": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAzSecondary": { + "type": "string", + "defaultValue": "" + }, + "expressRouteScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "enableSecondaryRegion": { "type": "string", - "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" - ] + ], + "defaultValue": "Yes" }, - "denyAksPrivilegedEscalation": { + "enableHubSecondary": { "type": "string", - "defaultValue": "No", "allowedValues": [ - "Yes", - "Audit", + "vhub", + "vwan", + "nva", "No" - ] + ], + "defaultValue": "No" }, - "denyHttpIngressForAks": { + "enableAzFwSecondary": { "type": "string", - "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" - ] + ], + "defaultValue": "No" }, - "denyDatabricksPip": { + "enableAzFwDnsProxySecondary": { "type": "string", - "defaultValue": "No", "allowedValues": [ "Yes", - "Audit", "No" - ] + ], + "defaultValue": "No" }, - "denyDatabricksVnet": { + "firewallSkuSecondary": { "type": "string", - "defaultValue": "No", "allowedValues": [ - "Yes", + "Basic", + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "firewallZonesSecondary": { + "type": "array", + "defaultValue": [] + }, + "subnetMaskForAzFwSecondary": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForAzFwMgmtSecondary": { + "type": "string", + "defaultValue": "" + }, + "enablevWANRoutingIntentSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "internetTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, + "vWANHubRoutingPreferenceSecondary": { + "type": "string", + "defaultValue": "ExpressRoute", + "metadata": { + "description": "vWAN Hub Routing Preference" + } + }, + "vWANHubCapacitySecondary": { + "type": "string", + "defaultValue": "2", + "metadata": { + "description": "vWAN Hub Capacity" + } + }, + "identitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for identity." + } + }, + "denyMgmtPortsForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "denySubnetWithoutNsgForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "denyPipForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "enableVmBackupForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "defaultValue": "No" + }, + "identityAddressPrefix": { + "type": "string", + "defaultValue": "" + }, + "identityAddressPrefixSecondary": { + "type": "string", + "defaultValue": "" + }, + "corpConnectedLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub." + } + }, + "corpLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones." + } + }, + "onlineLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones." + } + }, + "enableLzDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "denyPublicEndpoints": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "denyPipOnNicForCorp": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enablePrivateDnsZonesForLzs": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "enableEncryptionInTransit": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "enableVmMonitoring": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce VM monitoring." + } + }, + "enableVmssMonitoring": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce VMSS monitoring." + } + }, + "enableVmHybridMonitoring": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring." + } + }, + "enableAksPolicy": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "denyAksPrivileged": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "denyAksPrivilegedEscalation": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "denyClassicResources": { + "type": "string", + "defaultValue": "Yes", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "denyVMUnmanagedDisk": { + "type": "string", + "defaultValue": "Yes", + "allowedValues": [ + "Yes", "Audit", "No" ] }, - "denyDatabricksSku": { + "denyHttpIngressForAks": { "type": "string", "defaultValue": "No", "allowedValues": [ @@ -591,7 +830,7 @@ "No" ] }, - "denyRdp": { + "denyMgmtPorts": { "type": "string", "defaultValue": "No", "allowedValues": [ @@ -627,6 +866,31 @@ "No" ] }, + "enableSqlThreat": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] + }, + "enableDecommissioned": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableSandbox": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "enableSqlAudit": { "type": "string", "defaultValue": "No", @@ -645,320 +909,1041 @@ "No" ] }, - "delayCount": { - "type": "int", - "defaultValue": 30, - "minValue": 1, - "maxValue": 60, - "metadata": { - "description": "Configure the count of empty deployments used to introduce a delay after policy deployment. Used to increase reliability of deployment, but can be reduced when re-deploying to an existing environment." - } - }, - "currentDateTimeUtcNow": { + "enforceKvGuardrails": { "type": "string", - "defaultValue": "[utcNow()]", - "metadata": { - "description": "The current date and time using the utcNow function. Used for deployment name uniqueness" - } - } - }, - "variables": { - // Declaring the prescriptive management group structure that will be used in the scope construction - "mgmtGroups": { - "eslzRoot": "[parameters('enterpriseScaleCompanyPrefix')]", - "platform": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'platform')]", - "management": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'management')]", - "connectivity": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'connectivity')]", - "identity": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'identity')]", - "lzs": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'landingzones')]", - "corp": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'corp')]", - "online": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'online')]" + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc. - "scopes": { - "eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]", - "platformManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').platform)]", - "managementManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').management)]", - "connectivityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').connectivity)]", - "identityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').identity)]", - "lzsManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", - "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", - "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" + "enforceBackup": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ - "azPrivateDnsPolicyAssignmentMapping": { - "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json", - "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/gov/fairfaxDINE-PrivateDNSZonesPolicyAssignment.json" + "enforceKvGuardrailsPlat": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - "azPrivateDnsPolicyAssignment": "[variables('azPrivateDnsPolicyAssignmentMapping')[environment().resourceManager]]", - "deploymentUris": { - "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", - "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", - "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", - "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", - "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", - "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", - "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", - "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]", - "monitoring": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsWorkspace.json')]", - "azOpsRBAC": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json')]", - "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]", - "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]", - "azOpsSetup": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/azOpsArm.json')]", - "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", - "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]", - "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", - "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", - "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", - "mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]", - "azVmMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json')]", - "azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]", - "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", - "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", - "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", - "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", - "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", - "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", - "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", - "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", - "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('azPrivateDnsPolicyAssignment'))]", - "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", - "rdpFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json')]", - "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", - "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", - "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", - "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", - "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", - "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]", - "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]", - "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/privateDnsZones.json')]", - "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleAssignments/roleAssignment.json')]", - "databricksSku": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json')]", - "databricksPip": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json')]", - "databricksVnet": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DatabricksVnetPolicyAssignment.json')]", - "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]" + "enforceBackupPlat": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - // Declaring deterministic deployment names - "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", - "deploymentNames": { - "mgmtGroupDeploymentName": "[take(concat('alz-Mgs', variables('deploymentSuffix')), 64)]", - "mgmtSubscriptionPlacement": "[take(concat('alz-MgmtSub', variables('deploymentSuffix')), 64)]", - "databricksSkuDeploymentName": "[take(concat('alz-DBSku', variables('deploymentSuffix')), 64)]", - "databricksPipDeploymentName": "[take(concat('alz-DBPip', variables('deploymentSuffix')), 64)]", - "databricksVnetDeploymentName": "[take(concat('alz-DBVnet', variables('deploymentSuffix')), 64)]", - "corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]", - "connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]", - "identitySubscriptionPlacement": "[take(concat('alz-IdentitySub', variables('deploymentSuffix')), 64)]", - "roleDefsDeploymentName": "[take(concat('alz-RoleDefs', variables('deploymentSuffix')), 64)]", - "policyDeploymentName": "[take(concat('alz-Policy', variables('deploymentSuffix')), 64)]", - "azOpsRbacDeploymentName": "[take(concat('alz-AzOpsRbac', variables('deploymentSuffix')), 64)]", - "azOpsRgDeploymentName": "[take(concat('alz-AzOpsRg', variables('deploymentSuffix')), 64)]", - "ddosRgDeploymentName": "[take(concat('alz-DDoSRg', variables('deploymentSuffix')), 64)]", - "ddosDeploymentName": "[take(concat('alz-DDoS', variables('deploymentSuffix')), 64)]", - "ddosHubPolicyDeploymentName": "[take(concat('alz-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", - "ddosLzPolicyDeploymentName": "[take(concat('alz-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", - "azOpsSetupDeploymentName": "[take(concat('alz-AzOpsSetup', variables('deploymentSuffix')), 64)]", - "monitoringDeploymentName": "[take(concat('alz-Monitoring', variables('deploymentSuffix')), 64)]", - "logAnalyticsPolicyDeploymentName": "[take(concat('alz-LAPolicy', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]", - "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]", - "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", - "activityDiagnosticsPolicyDeploymentName": "[take(concat('alz-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", - "ascPolicyDeploymentName": "[take(concat('alz-ASC', variables('deploymentSuffix')), 64)]", - "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", - "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", - "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", - "nvaConnectivityHubDeploymentName": "[take(concat('alz-NVAHub', variables('deploymentSuffix')), 64)]", - "azVmMonitorPolicyDeploymentName": "[take(concat('alz-AzVmMonitor', variables('deploymentSuffix')), 64)]", - "azVmssMonitorPolicyDeploymentName": "[take(concat('alz-AzVmssMonitor', variables('deploymentSuffix')), 64)]", - "azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]", - "azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]", - "azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]", - "aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]", - "aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]", - "aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]", - "tlsSslPolicyDeploymentName": "[take(concat('alz-TLSSSL', variables('deploymentSuffix')), 64)]", - "ipFwPolicyDeploymentName": "[take(concat('alz-IPFwd', variables('deploymentSuffix')), 64)]", - "publicEndpointPolicyDeploymentName": "[take(concat('alz-PEndpoint', variables('deploymentSuffix')), 64)]", - "privateDnsPolicyDeploymentName": "[take(concat('alz-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", - "pipPolicyDeploymentName": "[take(concat('alz-PIP', variables('deploymentSuffix')), 64)]", - "rdpFromInternetPolicyDeploymentName": "[take(concat('alz-RDP', variables('deploymentSuffix')), 64)]", - "rdpFromInternetIdentityPolicyDeploymentName": "[take(concat('alz-RDPIdentity', variables('deploymentSuffix')), 64)]", - "storageHttpsPolicyDeploymentName": "[take(concat('alz-StorageHttps', variables('deploymentSuffix')), 64)]", - "subnetNsgPolicyDeploymentName": "[take(concat('alz-SubnetNsg', variables('deploymentSuffix')), 64)]", - "subnetNsgIdentityPolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", - "sqlAuditPolicyDeploymentName": "[take(concat('alz-SqlAudit', variables('deploymentSuffix')), 64)]", - "sqlEncryptionPolicyDeploymentName": "[take(concat('alz-SqlEncrypt', variables('deploymentSuffix')), 64)]", - "onlineLzSubs": "[take(concat('alz-OnlineLzs', variables('deploymentSuffix')), 60)]", - "corpLzSubs": "[take(concat('alz-CorpLzs', variables('deploymentSuffix')), 60)]", - "corpConnectedMoveLzSubs": "[take(concat('alz-CorpConnLzs', variables('deploymentSuffix')), 50)]", - "corpConnectedLzSubs": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 50)]", - "privateDnsZoneRgDeploymentName": "[take(concat('alz-PrivDNSRG', variables('deploymentSuffix')), 64)]", - "privateDnsZonesDeploymentName": "[take(concat('alz-PrivDNSZones', variables('deploymentSuffix')), 35)]", - "dnsZoneRoleAssignmentDeploymentName": "[take(concat('alz-DNSZoneRole', variables('deploymentSuffix')), 64)]", - "identityPeeringDeploymentName": "[take(concat('alz-IDPeering', variables('deploymentSuffix')), 64)]", - "identityVwanPeeringDeploymentName": "[take(concat('alz-IDVwanPeering', variables('deploymentSuffix')), 64)]", - "corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", - "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", - "ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]" + "denyHybridNetworking": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - "esLiteDeploymentNames": { - "mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]", - "rdpFromInternetIdentityLitePolicyDeploymentName": "[take(concat('alz-RDPIdentity', variables('deploymentSuffix')), 64)]", - "azBackupIdentityLitePolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]", - "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", - "monitoringLiteDeploymentName": "[take(concat('alz-MonitoringLite', variables('deploymentSuffix')), 64)]", - "logAnalyticsLitePolicyDeploymentName": "[take(concat('alz-LAPolicyLite', variables('deploymentSuffix')), 64)]", - "monitoringSolutionsLiteDeploymentName": "[take(concat('alz-SolutionsLite', variables('deploymentSuffix')), 64)]", - "platformLiteSubscriptionPlacement": "[take(concat('alz-PlatformSubLite', variables('deploymentSuffix')), 64)]", - "vnetConnectivityHubLiteDeploymentName": "[take(concat('alz-VnetHubLite', variables('deploymentSuffix')), 64)]", - "vwanConnectivityHubLiteDeploymentName": "[take(concat('alz-VWanHubLite', variables('deploymentSuffix')), 64)]", - "nvaConnectivityHubLiteDeploymentName": "[take(concat('alz-NVAHubLite', variables('deploymentSuffix')), 64)]", - "azOpsSetupLiteDeploymentName": "[take(concat('alz-AzOpsSetupLite', variables('deploymentSuffix')), 64)]", - "azOpsRbacLiteDeploymentName": "[take(concat('alz-AzOpsRbacLite', variables('deploymentSuffix')), 64)]", - "azOpsRgLiteDeploymentName": "[take(concat('alz-AzOpsRgLite', variables('deploymentSuffix')), 64)]", - "ddosRgLiteDeploymentName": "[take(concat('alz-DDoSRgLite', variables('deploymentSuffix')), 64)]", - "ddosLiteDeploymentName": "[take(concat('alz-DDoSLite', variables('deploymentSuffix')), 64)]", - "ddosHubLitePolicyDeploymentName": "[take(concat('alz-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", - "privateDnsZoneRgLiteDeploymentName": "[take(concat('alz-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", - "privateDnsZonesLiteDeploymentName": "[take(concat('alz-PrivDNSLite', variables('deploymentSuffix')), 35)]" + "auditPeDnsZones": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - // Declaring deterministic names for Resource Groups that will be created for platform resources - "platformRgNames": { - "mgmtRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-mgmt')]", - "azOpsRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-azops')]", - "connectivityRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]", - "ddosRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos')]", - "privateDnsRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns')]", - "identityVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]", - "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]" + "auditAppGwWaf": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - // Declaring deterministic names for platform resources that will be created - "platformResourceNames": { - "logAnalyticsWorkspace": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-law')]", - "automationAccount": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-aauto')]", - "vpnGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vpngw-', parameters('connectivityLocation'))]", - "erGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ergw-', parameters('connectivityLocation'))]", - "ddosName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos-', parameters('connectivityLocation'))]", - "azFwPolicyName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-azfwpolicy-', parameters('connectivityLocation'))]", - "azFwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fw-', parameters('connectivityLocation'))]", - "azErGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-erpip-', parameters('connectivityLocation'))]", - "hubName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-hub-', parameters('connectivityLocation'))]", - "vwanName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vwan-', parameters('connectivityLocation'))]", - "azVpnGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-gwpip-', parameters('connectivityLocation'))]", - "azFwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fwpip-', parameters('connectivityLocation'))]", - "identityVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]", - "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]" + "enforceAcsb": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "Audit", + "No" + ] }, - // Declaring subscriptionId for AzOps - "azOpsSubscriptionId": "[if(empty(parameters('azOpsSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('azOpsSubscriptionId'))]", - // Declaring deterministic resourceId's for platform resources that will be created - "singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]", - "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]", - "platformResourceIds": { - "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]", - "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", - "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]", - "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]", - "vWanHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubName)]", - "privateDnsRgResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').privateDnsRg)]", - "azFirewallResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwName)]" + "delayCount": { + "type": "int", + "defaultValue": 45, + "minValue": 1, + "maxValue": 60, + "metadata": { + "description": "Configure the count of empty deployments used to introduce a delay after policy deployment. Used to increase reliability of deployment, but can be reduced when re-deploying to an existing environment." + } }, - // Declaring deterministic resourceId's for ES Lite platform resources (as they will be consolidated into a single platform subscription) - "deterministicRoleAssignmentGuids": { - "ddosForConnectivity": "[take(guid(concat(parameters('enterpriseScaleCompanyPrefix'), 'ddos')), 10)]", - "backupForIdentity": "[take(guid(concat(parameters('enterpriseScaleCompanyPrefix'), 'idbackup')), 10)]" + "currentDateTimeUtcNow": { + "type": "string", + "defaultValue": "[utcNow()]", + "metadata": { + "description": "The current date and time using the utcNow function. Used for deployment name uniqueness" + } }, - "privateDnsZones": [ - "[format('privatelink.{0}.azmk8s.io', toLower(parameters('connectivityLocation')))]", - "[format('privatelink.{0}.batch.azure.com', toLower(parameters('connectivityLocation')))]", - "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('connectivityLocation')))]", - "privatelink.adf.azure.com", - "privatelink.afs.azure.net", - "privatelink.agentsvc.azure-automation.net", - "privatelink.analysis.windows.net", - "privatelink.api.azureml.ms", - "privatelink.azconfig.io", - "privatelink.azure-api.net", - "privatelink.azure-automation.net", - "privatelink.azurecr.io", - "privatelink.azure-devices.net", - "privatelink.azure-devices-provisioning.net", - "privatelink.azurehdinsight.net", - "privatelink.azurehealthcareapis.com", - "privatelink.azurestaticapps.net", - "privatelink.azuresynapse.net", - "privatelink.azurewebsites.net", - "privatelink.batch.azure.com", - "privatelink.blob.core.windows.net", - "privatelink.cassandra.cosmos.azure.com", - "privatelink.cognitiveservices.azure.com", - "privatelink.database.windows.net", - "privatelink.datafactory.azure.net", - "privatelink.dev.azuresynapse.net", - "privatelink.dfs.core.windows.net", - "privatelink.dicom.azurehealthcareapis.com", - "privatelink.digitaltwins.azure.net", - "privatelink.directline.botframework.com", - "privatelink.documents.azure.com", - "privatelink.eventgrid.azure.net", - "privatelink.file.core.windows.net", - "privatelink.gremlin.cosmos.azure.com", - "privatelink.guestconfiguration.azure.com", - "privatelink.his.arc.azure.com", - "privatelink.kubernetesconfiguration.azure.com", - "privatelink.managedhsm.azure.net", - "privatelink.mariadb.database.azure.com", - "privatelink.media.azure.net", - "privatelink.mongo.cosmos.azure.com", - "privatelink.monitor.azure.com", - "privatelink.mysql.database.azure.com", - "privatelink.notebooks.azure.net", - "privatelink.ods.opinsights.azure.com", - "privatelink.oms.opinsights.azure.com", - "privatelink.pbidedicated.windows.net", - "privatelink.postgres.database.azure.com", - "privatelink.prod.migration.windowsazure.com", - "privatelink.purview.azure.com", - "privatelink.purviewstudio.azure.com", - "privatelink.queue.core.windows.net", - "privatelink.redis.cache.windows.net", - "privatelink.redisenterprise.cache.azure.net", - "privatelink.search.windows.net", - "privatelink.service.signalr.net", - "privatelink.servicebus.windows.net", - "privatelink.siterecovery.windowsazure.com", - "privatelink.sql.azuresynapse.net", - "privatelink.table.core.windows.net", - "privatelink.table.cosmos.azure.com", - "privatelink.tip1.powerquery.microsoft.com", - "privatelink.token.botframework.com", - "privatelink.vaultcore.azure.net", - "privatelink.web.core.windows.net", - "privatelink.webpubsub.azure.com" - ], - "azBackupGeoCodes": { - "australiacentral": "acl", - "australiacentral2": "acl2", - "australiaeast": "ae", - "australiasoutheast": "ase", - "brazilsouth": "brs", - "brazilsoutheast": "bse", - "centraluseuap": "ccy", - "canadacentral": "cnc", - "canadaeast": "cne", - "centralus": "cus", - "eastasia": "ea", - "eastus2euap": "ecy", - "eastus": "eus", - "eastus2": "eus2", - "francecentral": "frc", - "francesouth": "frs", - "germanynorth": "gn", + "enableWsCMKInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsCMKSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for API Management." + } + }, + "enableWsAPIMInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsAPIMSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for API Management." + } + }, + "enableWsAppServicesInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsAppServicesSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for App Services." + } + }, + "enableWsAutomationInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsAutomationSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Automation Accounts." + } + }, + "enableWsCognitiveServicesInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsCognitiveServicesSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Cognitive Services." + } + }, + "enableWsComputeInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsComputeSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Compute." + } + }, + "enableWsContainerAppsInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsContainerAppsSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Container Apps." + } + }, + "enableWsContainerInstanceInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsContainerInstanceSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Container Instance." + } + }, + "enableWsContainerRegistryInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsContainerRegistrySelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Container Registry." + } + }, + "enableWsCosmosDbInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsCosmosDbSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Cosmos DB." + } + }, + "enableWsDataExplorerInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsDataExplorerSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Data Explorer." + } + }, + "enableWsDataFactoryInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsDataFactorySelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Data Factory." + } + }, + "enableWsEventGridInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsEventGridSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Event Grid." + } + }, + "enableWsEventHubInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsEventHubSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Event Hub." + } + }, + "enableWsKeyVaultSupInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsKeyVaultSupSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Key Vault." + } + }, + "enableWsKubernetesInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsKubernetesSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Kubernetes." + } + }, + "enableWsMachineLearningInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsMachineLearningSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Machine Learning." + } + }, + "enableWsMySQLInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsMySQLSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Machine Learning." + } + }, + "enableWsNetworkInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsNetworkSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Network and Networking services." + } + }, + "enableWsOpenAIInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsOpenAISelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Open AI." + } + }, + "enableWsPostgreSQLInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsPostgreSQLSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for PostgreSQL." + } + }, + "enableWsServiceBusInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsServiceBusSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Service Bus." + } + }, + "enableWsSQLInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsSQLSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for SQL." + } + }, + "enableWsStorageInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsStorageSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Storage." + } + }, + "enableWsSynapseInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsSynapseSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Synapse." + } + }, + "enableWsVirtualDesktopInitiatives": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "wsVirtualDesktopSelectorMG": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of management groups to assign the Workload Specific Compliance initiative for Virtual Desktop." + } + }, + "regulatoryComplianceInitativesToAssign": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Array of objects containing built-in Regulatory Compliance policies to assign to sepcfied Management Groups" + } + }, + "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParAusGovIsmRestrictedResourceTypes": { + "type": "string", + "defaultValue": "all" + }, + "regCompPolParMPAACertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAARBatchMetricName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSovBaseConfRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSovBaseGlobalRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSwift2020VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSwift2020DomainFqdn": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCisV2KeyVaultKeysRotateDays": { + "type": "int", + "defaultValue": 90 + }, + "regCompPolParCmmcL3VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCmmcL3VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaCertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSoc2Type2AllowedRegistries": { + "type": "string", + "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$" + }, + "regCompPolParSoc2Type2MaxCpuUnits": { + "type": "string", + "defaultValue": "200m" + }, + "regCompPolParSoc2Type2MaxMemoryBytes": { + "type": "string", + "defaultValue": "1Gi" + }, + "listOfResourceTypesDisallowedForDeletion": { + "type": "array", + "defaultValue": [ + "microsoft.managedidentity/userassignedidentities" + ] + } + }, + "variables": { + // Declaring the prescriptive management group structure that will be used in the scope construction + "mgmtGroups": { + "eslzRoot": "[parameters('enterpriseScaleCompanyPrefix')]", + "platform": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'platform')]", + "management": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'management')]", + "connectivity": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'connectivity')]", + "identity": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'identity')]", + "lzs": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'landingzones')]", + "corp": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'corp')]", + "online": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'online')]", + "decommissioned": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'decommissioned')]", + "sandboxes": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'sandboxes')]" + }, + "mgmtGroupsLite": { + "eslzRoot": "[parameters('enterpriseScaleCompanyPrefix')]", + "platform": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'platform')]", + "lzs": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'landingzones')]", + "corp": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'corp')]", + "online": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'online')]", + "decommissioned": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'decommissioned')]", + "sandboxes": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'sandboxes')]" + }, + "copy": [ + { + "name": "mgmtGroupsArray", + "count": "[length(items(variables('mgmtGroups')))]", + "input": "[items(variables('mgmtGroups'))[copyIndex('mgmtGroupsArray')].value]" + }, + { + "name": "mgmtGroupsESLiteArray", + "count": "[length(items(variables('mgmtGroupsLite')))]", + "input": "[items(variables('mgmtGroupsLite'))[copyIndex('mgmtGroupsESLiteArray')].value]" + } + ], + + // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc. + "scopes": { + "eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]", + "platformManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').platform)]", + "managementManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').management)]", + "connectivityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').connectivity)]", + "identityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').identity)]", + "lzsManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", + "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", + "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]", + "decommissionedManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').decommissioned)]", + "sandboxManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').sandboxes)]" + }, + // Declaring root uris for external dependency repositories. + "rootUris": { + "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2023-11-14/" + }, + // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ + "azPrivateDnsPolicyAssignmentMapping": { + "https://management.azure.com/": "managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json", + "https://management.usgovcloudapi.net": "managementGroupTemplates/policyAssignments/gov/fairfaxDINE-PrivateDNSZonesPolicyAssignment.json" + }, + "azPrivateDnsPolicyAssignment": "[variables('azPrivateDnsPolicyAssignmentMapping')[environment().resourceManager]]", + "deploymentUris": { + "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", + "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", + "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", + "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", + "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", + "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", + "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", + "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", + "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]", + "monitoring": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsWorkspace.json')]", + "dataCollectionRuleVmInsights": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-VmInsights.json')]", + "userAssignedIdentity": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/userAssignedIdentity.json')]", + "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]", + "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]", + "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", + "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", + "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]", + "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", + "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", + "mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]", + "mdEnpointsPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json')]", + "mdEnpointsAMAPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json')]", + "atpOssDbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json')]", + "atpSqlDbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json')]", + "azVmMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json')]", + "azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]", + "azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]", + "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", + "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", + "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", + "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", + "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", + "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", + "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", + "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", + "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, variables('azPrivateDnsPolicyAssignment'))]", + "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", + "pipOnNicPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json')]", + "mgmtFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-MgmtPortsFromInternetPolicyAssignment.json')]", + "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", + "kvGuardrailsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json')]", + "backupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json')]", + "denyHybridNetworkingPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json')]", + "auditPeDnsZonesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json')]", + "auditAppGwWafPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json')]", + "enforceAcsbPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-AcsbPolicyAssignment.json')]", + "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", + "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", + "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", + "sqlThreatPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json')]", + "decommissionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json')]", + "sandboxPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json')]", + "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", + "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]", + "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]", + "hubVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringHub.json')]", + "hubVnetRouting": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/vnetRouteTable.json')]", + "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/privateDnsZones.json')]", + "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleAssignments/roleAssignment.json')]", + "classicResourcesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json')]", + "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]", + "costOptimizationPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json')]", + "trustedLaunchPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json')]", + "zoneResilientPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json')]", + "resourceRgLocationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json')]", + "VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]", + "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]", + // references to https://github.com/Azure/azure-monitor-baseline-alerts + "monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]", + "azureUpdateManagerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json')]", + "dataCollectionRuleChangeTracking": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-CT.json')]", + "ChangeTrackingVmPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json')]", + "ChangeTrackingVmArcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json')]", + "ChangeTrackingVmssPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json')]", + "MDFCDefenderSqlAma": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json')]", + "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]", + "MDFCSubscriptionEnablement": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/mdfcConfiguration.json')]", + // Workload Specific Compliance Initiatives + "wsCMKPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json')]", + "wsAPIMPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json')]", + "wsAppServicesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json')]", + "wsAutomationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json')]", + "wsCognitiveServicesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json')]", + "wsComputePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json')]", + "wsContainerAppsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json')]", + "wsContainerInstancePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json')]", + "wsContainerRegistryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json')]", + "wsCosmosDbPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json')]", + "wsDataExplorerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json')]", + "wsDataFactoryPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json')]", + "wsEventGridPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json')]", + "wsEventHubPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json')]", + "wsKeyVaultSupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json')]", + "wsKubernetesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json')]", + "wsMachineLearningPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json')]", + "wsMySQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json')]", + "wsNetworkPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json')]", + "wsOpenAIPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json')]", + "wsPostgreSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json')]", + "wsServiceBusPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json')]", + "wsSQLPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json')]", + "wsStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json')]", + "wsSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json')]", + "wsVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json')]", + "denyActionDeleteUAMIAMAPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json')]" + }, + // Declaring deterministic deployment names + "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", + "deploymentNames": { + "mgmtGroupDeploymentName": "[take(concat('alz-Mgs', variables('deploymentSuffix')), 64)]", + "mgmtSubscriptionPlacement": "[take(concat('alz-MgmtSub', variables('deploymentSuffix')), 64)]", + "corpPeeringDeploymentName": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 60)]", + "hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]", + "hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]", + "connectivitySubscriptionPlacement": "[take(concat('alz-ConnectivitySub', variables('deploymentSuffix')), 64)]", + "identitySubscriptionPlacement": "[take(concat('alz-IdentitySub', variables('deploymentSuffix')), 64)]", + "roleDefsDeploymentName": "[take(concat('alz-RoleDefs', variables('deploymentSuffix')), 64)]", + "policyDeploymentName": "[take(concat('alz-Policy', variables('deploymentSuffix')), 64)]", + "initiativeDeploymentName": "[take(concat('alz-PolicySet', variables('deploymentSuffix')), 64)]", + "monitorPolicyDeploymentName": "[take(concat('alz-MonitorPolicy', variables('deploymentSuffix')), 64)]", + "ddosRgDeploymentName": "[take(concat('alz-DDoSRg', variables('deploymentSuffix')), 64)]", + "ddosDeploymentName": "[take(concat('alz-DDoS', variables('deploymentSuffix')), 64)]", + "ddosHubPolicyDeploymentName": "[take(concat('alz-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", + "ddosLzPolicyDeploymentName": "[take(concat('alz-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", + "monitoringDeploymentName": "[take(concat('alz-Monitoring', variables('deploymentSuffix')), 64)]", + "dataCollectionRuleVmInsightsDeploymentName": "[take(concat('alz-DataCollectionRuleVmInsights', variables('deploymentSuffix')), 64)]", + "logAnalyticsPolicyDeploymentName": "[take(concat('alz-LAPolicy', variables('deploymentSuffix')), 64)]", + "monitorConnectivityDeploymentName": "[take(concat('alz-ConnectivityMonitor', variables('deploymentSuffix')), 64)]", + "monitorIdentityDeploymentName": "[take(concat('alz-IdentityMonitor', variables('deploymentSuffix')), 64)]", + "monitorManagementDeploymentName": "[take(concat('alz-ManagementMonitor', variables('deploymentSuffix')), 64)]", + "monitorLandingZoneDeploymentName": "[take(concat('alz-LandingZoneMonitor', variables('deploymentSuffix')), 64)]", + "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]", + "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]", + "regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]", + "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", + "activityDiagnosticsPolicyDeploymentName": "[take(concat('alz-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", + "ascPolicyDeploymentName": "[take(concat('alz-ASC', variables('deploymentSuffix')), 64)]", + "atpOssDbPolicyDeploymentName": "[take(concat('alz-AtpOssDb', variables('deploymentSuffix')), 64)]", + "atpSqlDbPolicyDeploymentName": "[take(concat('alz-AtpSqlDb', variables('deploymentSuffix')), 64)]", + "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", + "vnetConnectivityRouteTableDeploymentName": "[take(concat('alz-HubRoute', variables('deploymentSuffix')), 64)]", + "vnetConnectivityRouteTable2DeploymentName": "[take(concat('alz-HubRoute2', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubDeploymentName": "[take(concat('alz-NVAHub', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHub2DeploymentName": "[take(concat('alz-NVAHub2', variables('deploymentSuffix')), 64)]", + "azVmMonitorPolicyDeploymentName": "[take(concat('alz-AzVmMonitor', variables('deploymentSuffix')), 64)]", + "azVmssMonitorPolicyDeploymentName": "[take(concat('alz-AzVmssMonitor', variables('deploymentSuffix')), 64)]", + "azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]", + "azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]", + "azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]", + "aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]", + "aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]", + "aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]", + "tlsSslPolicyDeploymentName": "[take(concat('alz-TLSSSL', variables('deploymentSuffix')), 64)]", + "ipFwPolicyDeploymentName": "[take(concat('alz-IPFwd', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDeploymentName": "[take(concat('alz-PEndpoint', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDeploymentName": "[take(concat('alz-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", + "pipPolicyDeploymentName": "[take(concat('alz-PIP', variables('deploymentSuffix')), 64)]", + "pipOnNicPolicyDeploymentName": "[take(concat('alz-PipOnNic', variables('deploymentSuffix')), 64)]", + "mgmtFromInternetPolicyDeploymentName": "[take(concat('alz-MgmtPorts', variables('deploymentSuffix')), 64)]", + "mgmtFromInternetIdentityPolicyDeploymentName": "[take(concat('alz-MgmtPortsIdentity', variables('deploymentSuffix')), 64)]", + "storageHttpsPolicyDeploymentName": "[take(concat('alz-StorageHttps', variables('deploymentSuffix')), 64)]", + "kvGuardrailsPolicyDeploymentName": "[take(concat('alz-KvGuardrails', variables('deploymentSuffix')), 64)]", + "kvGuardrailsPolicyPlatDeploymentName": "[take(concat('alz-KvGuardrailsPlat', variables('deploymentSuffix')), 64)]", + "backupPolicyDeploymentName": "[take(concat('alz-Backup', variables('deploymentSuffix')), 64)]", + "backupPlatPolicyDeploymentName": "[take(concat('alz-BackupPlat', variables('deploymentSuffix')), 64)]", + "denyHybridNetworkingPolicyDeploymentName": "[take(concat('alz-DenyHybridNetworking', variables('deploymentSuffix')), 64)]", + "auditPeDnsZonesPolicyDeploymentName": "[take(concat('alz-AuditPeDnsZones', variables('deploymentSuffix')), 64)]", + "auditAppGwWafPolicyDeploymentName": "[take(concat('alz-AppGwWaf', variables('deploymentSuffix')), 64)]", + "enforceAcsbPolicyDeploymentName": "[take(concat('alz-Acsb', variables('deploymentSuffix')), 64)]", + "subnetNsgPolicyDeploymentName": "[take(concat('alz-SubnetNsg', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityPolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "sqlAuditPolicyDeploymentName": "[take(concat('alz-SqlAudit', variables('deploymentSuffix')), 64)]", + "sqlAuditRoleAssignmentDeploymentName1": "[take(concat('alz-SqlAuditRbac1', variables('deploymentSuffix')), 64)]", + "sqlAuditRoleAssignmentDeploymentName2": "[take(concat('alz-SqlAuditRbac2', variables('deploymentSuffix')), 64)]", + "sqlEncryptionPolicyDeploymentName": "[take(concat('alz-SqlEncrypt', variables('deploymentSuffix')), 64)]", + "sqlThreatPolicyDeploymentName": "[take(concat('alz-SqlThreat', variables('deploymentSuffix')), 64)]", + "decommissionPolicyDeploymentName": "[take(concat('alz-DecommissionPol', variables('deploymentSuffix')), 64)]", + "sandboxPolicyDeploymentName": "[take(concat('alz-SandboxPol', variables('deploymentSuffix')), 64)]", + "onlineLzSubs": "[take(concat('alz-OnlineLzs', variables('deploymentSuffix')), 60)]", + "corpLzSubs": "[take(concat('alz-CorpLzs', variables('deploymentSuffix')), 60)]", + "corpConnectedMoveLzSubs": "[take(concat('alz-CorpConnLzs', variables('deploymentSuffix')), 50)]", + "corpConnectedLzSubs": "[take(concat('alz-CorpPeering', variables('deploymentSuffix')), 50)]", + "privateDnsZoneRgDeploymentName": "[take(concat('alz-PrivDNSRG', variables('deploymentSuffix')), 64)]", + "privateDnsZonesDeploymentName": "[take(concat('alz-PrivDNSZones', variables('deploymentSuffix')), 35)]", + "privateDnsZoneRg2DeploymentName": "[take(concat('alz-PrivDNSRG2', variables('deploymentSuffix')), 64)]", + "privateDnsZones2DeploymentName": "[take(concat('alz-PrivDNSZones2', variables('deploymentSuffix')), 35)]", + "dnsZoneRoleAssignmentDeploymentName": "[take(concat('alz-DNSZoneRole', variables('deploymentSuffix')), 64)]", + "identityPeeringDeploymentName": "[take(concat('alz-IDPeering', variables('deploymentSuffix')), 64)]", + "identityPeering2DeploymentName": "[take(concat('alz-IDPeering2', variables('deploymentSuffix')), 64)]", + "identityVwanPeeringDeploymentName": "[take(concat('alz-IDVwanPeering', variables('deploymentSuffix')), 64)]", + "identityVwanPeering2DeploymentName": "[take(concat('alz-IDVwanPeering2', variables('deploymentSuffix')), 64)]", + "mdEndpointsDeploymentName": "[take(concat('alz-MDEndpoints', variables('deploymentSuffix')), 64)]", + "mdEndpointsAMADeploymentName": "[take(concat('alz-MDEndpointsAMA', variables('deploymentSuffix')), 64)]", + "corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", + "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]", + "costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]", + "trustedLaunchDeploymentName": "[take(concat('alz-TrustedLaunch', variables('deploymentSuffix')), 64)]", + "zoneResilientDeploymentName": "[take(concat('alz-ZoneResilient', variables('deploymentSuffix')), 64)]", + "resourceRgLocationDeploymentName": "[take(concat('alz-ResourceRGLoc', variables('deploymentSuffix')), 64)]", + "denyVMUnmanagedDiskPolicyDeploymentName": "[take(concat('alz-NoUnmanagedDiskResource', variables('deploymentSuffix')), 64)]", + "ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]", + "ambaPortalPidCuaDeploymentName": "[take(concat('pid-', variables('ambaPortalCuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]", + "pidCuaDeploymentNameSecondaryRegion": "[take(concat('pid-', variables('cuaidSecondaryRegion'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "diagnosticSettingsforMGsDeploymentName": "[take(concat('alz-DiagSettingsMGs', variables('deploymentSuffix')), 64)]", + "userAssignedIdentityDeploymentName": "[take(concat('alz-UserAssignedIdentity', variables('deploymentSuffix')), 60)]", + "azureUpdateManagerPolicyDeploymentName": "[take(concat('alz-AzureUpdateManager', variables('deploymentSuffix')), 64)]", + "dataCollectionRuleChangeTrackingDeploymentName": "[take(concat('alz-DataCollectionRuleChangeTracking', variables('deploymentSuffix')), 64)]", + "ChangeTrackingVmDeploymentName": "[take(concat('alz-ChangeTracking-VM', variables('deploymentSuffix')), 64)]", + "ChangeTrackingVmArcDeploymentName": "[take(concat('alz-ChangeTracking-VMArc', variables('deploymentSuffix')), 64)]", + "ChangeTrackingVmssDeploymentName": "[take(concat('alz-ChangeTracking-VMSS', variables('deploymentSuffix')), 64)]", + "MDFCDefenderSqlAmaDeploymentName": "[take(concat('alz-MDFCDefenderForSqlAma', variables('deploymentSuffix')), 64)]", + "dataCollectionRuleMdfcDefenderSQLDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQL', variables('deploymentSuffix')), 64)]", + "MDFCSubscriptionEnableDeploymentName": "[take(concat('alz-MDFCSubEnable', variables('deploymentSuffix')), 62)]", + "pidCuaDeploymentNameSinglePlatformSub": "[take(concat('pid-', variables('cuaidSinglePlatformSub'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "pidCuaDeploymentNameMultiPlatformSubs": "[take(concat('pid-', variables('cuaidMultiPlatformSubs'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "pidCuaDeploymentNameNetworkingNone": "[take(concat('pid-', variables('cuaidNetworkingNone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "pidCuaDeploymentNameNetworkingHubSpoke": "[take(concat('pid-', variables('cuaidNetworkingHubSpoke'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "pidCuaDeploymentNameNetworkingVirtualWan": "[take(concat('pid-', variables('cuaidNetworkingVirtualWan'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", + "denyActionDeleteUAMIAMAPolicyDeploymentName": "[take(concat('alz-DenyActionDeleteUAMI', variables('deploymentSuffix')), 64)]", + // Workload Specific Compliance Initiatives + "wsCMKDeploymentName": "[take(concat('alz-wsCMK', variables('deploymentSuffix')), 35)]", + "wsAPIMDeploymentName": "[take(concat('alz-wsAPIM', variables('deploymentSuffix')), 35)]", + "wsAppServicesDeploymentName": "[take(concat('alz-wsAppService', variables('deploymentSuffix')), 35)]", + "wsAutomationDeploymentName": "[take(concat('alz-wsAutomation', variables('deploymentSuffix')), 35)]", + "wsCognitiveServicesDeploymentName": "[take(concat('alz-wsCognitiveServices', variables('deploymentSuffix')), 35)]", + "wsComputeDeploymentName": "[take(concat('alz-wsCompute', variables('deploymentSuffix')), 35)]", + "wsContainerAppsDeploymentName": "[take(concat('alz-wsContainerApps', variables('deploymentSuffix')), 35)]", + "wsContainerInstanceDeploymentName": "[take(concat('alz-wsContainerInstance', variables('deploymentSuffix')), 35)]", + "wsContainerRegistryDeploymentName": "[take(concat('alz-wsContainerRegistry', variables('deploymentSuffix')), 35)]", + "wsCosmosDbDeploymentName": "[take(concat('alz-wsCosmosDb', variables('deploymentSuffix')), 35)]", + "wsDataExplorerDeploymentName": "[take(concat('alz-wsDataExplorer', variables('deploymentSuffix')), 35)]", + "wsDataFactoryDeploymentName": "[take(concat('alz-wsDataFactory', variables('deploymentSuffix')), 35)]", + "wsEventGridDeploymentName": "[take(concat('alz-wsEventGrid', variables('deploymentSuffix')), 35)]", + "wsEventHubDeploymentName": "[take(concat('alz-wsEventHub', variables('deploymentSuffix')), 35)]", + "wsKeyVaultSupDeploymentName": "[take(concat('alz-wsKeyVaultSup', variables('deploymentSuffix')), 35)]", + "wsKubernetesDeploymentName": "[take(concat('alz-wsKubernetes', variables('deploymentSuffix')), 35)]", + "wsMachineLearningDeploymentName": "[take(concat('alz-wsMachineLearning', variables('deploymentSuffix')), 35)]", + "wsMySQLDeploymentName": "[take(concat('alz-wsMySQL', variables('deploymentSuffix')), 35)]", + "wsNetworkDeploymentName": "[take(concat('alz-wsNetwork', variables('deploymentSuffix')), 35)]", + "wsOpenAIDeploymentName": "[take(concat('alz-wsOpenAI', variables('deploymentSuffix')), 35)]", + "wsPostgreSQLDeploymentName": "[take(concat('alz-wsPostgreSQL', variables('deploymentSuffix')), 35)]", + "wsServiceBusDeploymentName": "[take(concat('alz-wsServiceBus', variables('deploymentSuffix')), 35)]", + "wsSQLDeploymentName": "[take(concat('alz-wsSQL', variables('deploymentSuffix')), 35)]", + "wsStorageDeploymentName": "[take(concat('alz-wsStorage', variables('deploymentSuffix')), 35)]", + "wsSynapseDeploymentName": "[take(concat('alz-wsSynapse', variables('deploymentSuffix')), 35)]", + "wsVirtualDesktopDeploymentName": "[take(concat('alz-wsVirtualDesktop', variables('deploymentSuffix')), 35)]" + }, + "esLiteDeploymentNames": { + "mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]", + "mgmtFromInternetIdentityLitePolicyDeploymentName": "[take(concat('alz-MgmtIdentity', variables('deploymentSuffix')), 64)]", + "azBackupIdentityLitePolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat('alz-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "monitoringLiteDeploymentName": "[take(concat('alz-MonitoringLite', variables('deploymentSuffix')), 64)]", + "logAnalyticsLitePolicyDeploymentName": "[take(concat('alz-LAPolicyLite', variables('deploymentSuffix')), 64)]", + "platformLiteSubscriptionPlacement": "[take(concat('alz-PlatformSubLite', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubLiteDeploymentName": "[take(concat('alz-VnetHubLite', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubLiteDeploymentName": "[take(concat('alz-VWanHubLite', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubLiteDeploymentName": "[take(concat('alz-NVAHubLite', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubLite2DeploymentName": "[take(concat('alz-VnetHubLite2', variables('deploymentSuffix')), 64)]", + "hubPeeringDeploymentName": "[take(concat('alz-HubPeering', variables('deploymentSuffix')), 60)]", + "hubPeering2DeploymentName": "[take(concat('alz-HubPeering2', variables('deploymentSuffix')), 60)]", + "vnetConnectivityRouteTableDeploymentName": "[take(concat('alz-HubRoute', variables('deploymentSuffix')), 64)]", + "vnetConnectivityRouteTable2DeploymentName": "[take(concat('alz-HubRoute2', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubLite2DeploymentName": "[take(concat('alz-NVAHubLite2', variables('deploymentSuffix')), 64)]", + "ddosRgLiteDeploymentName": "[take(concat('alz-DDoSRgLite', variables('deploymentSuffix')), 64)]", + "ddosLiteDeploymentName": "[take(concat('alz-DDoSLite', variables('deploymentSuffix')), 64)]", + "ddosHubLitePolicyDeploymentName": "[take(concat('alz-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", + "privateDnsZoneRgLiteDeploymentName": "[take(concat('alz-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", + "privateDnsZonesLiteDeploymentName": "[take(concat('alz-PrivDNSLite', variables('deploymentSuffix')), 35)]", + "privateDnsZonesLite1DeploymentName": "[take(concat('alz-PrivDNSLite1', variables('deploymentSuffix')), 35)]", + "privateDnsZoneRgLite2DeploymentName": "[take(concat('alz-PrivDNSRGLite2', variables('deploymentSuffix')), 64)]", + "privateDnsZonesLite2DeploymentName": "[take(concat('alz-PrivDNSLite2', variables('deploymentSuffix')), 35)]", + "monitorPolicyLiteDeploymentName": "[take(concat('alz-MonitorPolicyLite', variables('deploymentSuffix')), 64)]", + "dataCollectionRuleVmInsightsLiteDeploymentName": "[take(concat('alz-DataCollectionRuleVmInsightsLite', variables('deploymentSuffix')), 64)]", + "dataCollectionRuleChangeTrackingLiteDeploymentName": "[take(concat('alz-DataCollectionRuleChangeTrackingLite', variables('deploymentSuffix')), 64)]", + "dataCollectionRuleMdfcDefenderSQLLiteDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQLLite', variables('deploymentSuffix')), 64)]", + "userAssignedIdentityLiteDeploymentName": "[take(concat('alz-UserAssignedIdentityLite', variables('deploymentSuffix')), 60)]" + }, + // Declaring deterministic names for Resource Groups that will be created for platform resources + "platformRgNames": { + "mgmtRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-mgmt')]", + "connectivityRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]", + "connectivityRgSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocationSecondary'))]", + "ddosRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos')]", + "privateDnsRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns')]", + "privateDnsRg2": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns-02')]", + "identityVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]", + "identityVnetRgSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]", + "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]" + }, + // Declaring deterministic names for platform resources that will be created + "platformResourceNames": { + "logAnalyticsWorkspace": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-law')]", + "dataCollectionRuleVmInsights": "[concat('dcr-vminsights-prod-', parameters('connectivityLocation'), '-001')]", + "dataCollectionRuleChangeTracking": "[concat('dcr-changetracking-prod-', parameters('connectivityLocation'), '-001')]", + "dataCollectionRuleMdfcDefenderSql": "[concat('dcr-defendersql-prod-', parameters('connectivityLocation'), '-001')]", + "userAssignedIdentity": "[concat('id-ama-prod-', parameters('connectivityLocation'), '-001')]", + "automationAccount": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-aauto')]", + "vpnGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vpngw-', parameters('connectivityLocation'))]", + "erGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ergw-', parameters('connectivityLocation'))]", + "ddosName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos-', parameters('connectivityLocation'))]", + "azFwPolicyName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-azfwpolicy-', parameters('connectivityLocation'))]", + "azFwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fw-', parameters('connectivityLocation'))]", + "azFwNameSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fw-', parameters('connectivityLocationSecondary'))]", + "azErGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-erpip-', parameters('connectivityLocation'))]", + "hubName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-hub-', parameters('connectivityLocation'))]", + "hubNameSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-hub-', parameters('connectivityLocationSecondary'))]", + "vwanName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vwan-', parameters('connectivityLocation'))]", + "azVpnGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-gwpip-', parameters('connectivityLocation'))]", + "azFwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fwpip-', parameters('connectivityLocation'))]", + "identityVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]", + "identityVnetSecondary": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocationSecondary'))]", + "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('connectivityLocation'))]" + }, + // Declaring deterministic resourceId's for platform resources that will be created + "singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]", + "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]", + "platformResourceIds": { + "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]", + "dataCollectionRuleVmInsightsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Insights/dataCollectionRules/', variables('platformResourceNames').dataCollectionRuleVmInsights)]", + "dataCollectionRuleChangeTrackingResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Insights/dataCollectionRules/', variables('platformResourceNames').dataCollectionRuleChangeTracking)]", + "dataCollectionRuleMdfcDefenderSQLResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Insights/dataCollectionRules/', variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql)]", + "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", + "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]", + "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]", + "vNetHubResourceIdSecondary": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRgSecondary, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubNameSecondary)]", + "vWanHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubName)]", + "vWanHubResourceIdSecondary": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubNameSecondary)]", + "privateDnsRgResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').privateDnsRg)]", + "azFirewallResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwName)]", + "azFirewallResourceIdSecondary": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRgSecondary, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwNameSecondary)]", + "userAssignedIdentityResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', variables('platformResourceNames').userAssignedIdentity)]" + }, + // Declaring deterministic resourceId's for ES Lite platform resources (as they will be consolidated into a single platform subscription) + "deterministicRoleAssignmentGuids": { + "ddosForConnectivity": "[take(guid(concat(parameters('enterpriseScaleCompanyPrefix'), 'ddos')), 10)]", + "backupForIdentity": "[take(guid(concat(parameters('enterpriseScaleCompanyPrefix'), 'idbackup')), 10)]" + }, + "privateDnsZones": "[array(parameters('privateDnsZonesToDeploy'))]", + "azBackupGeoCodes": { + "australiacentral": "acl", + "australiacentral2": "acl2", + "australiaeast": "ae", + "australiasoutheast": "ase", + "brazilsouth": "brs", + "brazilsoutheast": "bse", + "centraluseuap": "ccy", + "canadacentral": "cnc", + "canadaeast": "cne", + "centralus": "cus", + "eastasia": "ea", + "eastus2euap": "ecy", + "eastus": "eus", + "eastus2": "eus2", + "francecentral": "frc", + "francesouth": "frs", + "germanynorth": "gn", "germanywestcentral": "gwc", "centralindia": "inc", "southindia": "ins", "westindia": "inw", + "italynorth": "itn", "japaneast": "jpe", "japanwest": "jpw", "jioindiacentral": "jic", @@ -1006,1181 +1991,4447 @@ "germanycentral": "gec", "germanynortheast": "gne" }, - "privateDnsZonesMerge": "[if(contains(variables('azBackupGeoCodes'), parameters('connectivityLocation')), union(variables('privateDnsZones'), createArray(format('privatelink.{0}.backup.windowsazure.com', variables('azBackupGeoCodes')[toLower(parameters('connectivityLocation'))]))), variables('privateDnsZones'))]", - "roleDefinitions": { - "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7" + "privateDnsZonesMerge": "[if(and(contains(variables('azBackupGeoCodes'), parameters('connectivityLocation')), contains(variables('privateDnsZones'), 'privatelink.regionGeoShortCode.backup.windowsazure.com')), union(createArray(replace(variables('privateDnsZones')[0], '.regionGeoShortCode.', concat('.', variables('azBackupGeoCodes')[toLower(parameters('connectivityLocation'))], '.'))), variables('privateDnsZones')), variables('privateDnsZones'))]", + "privateDnsZonesMergedWithBackupPlaceholderRemoved": "[filter(variables('privateDnsZonesMerge'), lambda('i', not(equals(lambdaVariables('i'), 'privatelink.regionGeoShortCode.backup.windowsazure.com'))))]", + "subscriptionIds": "[union(parameters('onlineLzSubscriptionId'), parameters('corpLzSubscriptionId'), map(parameters('corpConnectedLzSubscriptionId'), lambda('sub', lambdaVariables('sub').subs)), if(empty(parameters('singlePlatformSubscriptionId')), if(empty(parameters('connectivitySubscriptionId')), createArray(parameters('managementSubscriptionId'), parameters('identitySubscriptionId')), createArray(parameters('managementSubscriptionId'), parameters('connectivitySubscriptionId'), parameters('identitySubscriptionId'))), createArray(parameters('singlePlatformSubscriptionId'))))]", + "roleDefinitions": { + "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7" + }, + "cuaid": "35c42e79-00b3-42eb-a9ac-e542953efb3c", + "cuaidSinglePlatformSub": "b35a8452-8a67-49f9-b1a9-1aee3c1a13c2", + "cuaidMultiPlatformSubs": "725aea60-cfaa-4a0c-9fe7-71b07f53803d", + "cuaidNetworkingNone": "35c1ce02-165f-43b2-8d3a-fc68a04b802a", + "cuaidNetworkingHubSpoke": "f7fcc714-0c0d-4011-87bf-319810bbb03d", + "cuaidNetworkingVirtualWan": "0263335d-f570-470c-8389-aa6c916e5008", + "ztnPhase1CuaId": "f09f64b8-5cb3-4b16-900d-6ba1df8a597e", + "ambaPortalCuaId": "5f0e5693-3998-4ae2-8115-ee96e38dac62", + "cuaidSecondaryRegion": "b8cb7850-a693-4b04-a3a8-5441491966d6" + }, + "resources": [ + /* + The following deployment will create the management group structure for ESLZ and ensure the sustainable, scalable architecture + */ + { + // Creating the ESLZ management group structure + "condition": "[empty(parameters('singlePlatformSubscriptionId'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').mgmtGroupDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroups]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying ALZ Custom RBAC Role Definitions + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').roleDefsDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').roleDefinitions]" + } + } + }, + /* + The following deployments will deploy the required proactive and preventive Azure policies for ESLZ policy driven governance + */ + { + // Deploying ESLZ custom policies. + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying ESLZ custom initiatives. + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').initiativeDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').initiativeDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').monitorPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + }, + "parameters": { + "enterpriseScaleCompanyPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "telemetryOptOut": { + "value": "[parameters('telemetryOptOut')]" + }, + "platformManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "IdentityManagementGroup": { + "value": "[variables('mgmtGroups').identity]" + }, + "managementManagementGroup": { + "value": "[variables('mgmtGroups').management]" + }, + "connectivityManagementGroup": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "LandingZoneManagementGroup": { + "value": "[variables('mgmtGroups').lzs]" + }, + "enableAMBAConnectivity": { + "value": "[parameters('enableMonitorConnectivity')]" + }, + "enableAMBAIdentity": { + "value": "[parameters('enableMonitorIdentity')]" + }, + "enableAMBALandingZone": { + "value": "[parameters('enableMonitorLandingZones')]" + }, + "enableAMBAManagement": { + "value": "[parameters('enableMonitorManagement')]" + }, + "enableAMBAServiceHealth": { + "value": "[parameters('enableMonitorBaselines')]" + }, + "delayCount": { + "value": "[parameters('delayCount')]" + }, + "policyAssignmentParametersCommon": { + "value": { + "alzMonitorResourceGroupName": { + "value": "[parameters('monitorAlertsResourceGroup')]" + }, + "alzMonitorResourceGroupLocation": { + "value": "[deployment().location]" + } + } + }, + "policyAssignmentParametersServiceHealth": { + "value": { + "alzMonitorActionGroupEmail": { + "value": "[parameters('emailContactActionGroup')]" + } + } + } + } + } + }, + { + /// Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').monitorPolicyLiteDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitorPolicyDefinitions]" + }, + "parameters": { + "enterpriseScaleCompanyPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "telemetryOptOut": { + "value": "[parameters('telemetryOptOut')]" + }, + "platformManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "IdentityManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "managementManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "connectivityManagementGroup": { + "value": "[variables('mgmtGroups').platform]" + }, + "LandingZoneManagementGroup": { + "value": "[variables('mgmtGroups').lzs]" + }, + "enableAMBAConnectivity": { + "value": "[parameters('enableMonitorConnectivity')]" + }, + "enableAMBAIdentity": { + "value": "[parameters('enableMonitorIdentity')]" + }, + "enableAMBALandingZone": { + "value": "[parameters('enableMonitorLandingZones')]" + }, + "enableAMBAManagement": { + "value": "[parameters('enableMonitorManagement')]" + }, + "enableAMBAServiceHealth": { + "value": "[parameters('enableMonitorBaselines')]" + }, + "delayCount": { + "value": "[parameters('delayCount')]" + }, + "policyAssignmentParametersCommon": { + "value": { + "alzMonitorResourceGroupName": { + "value": "[parameters('monitorAlertsResourceGroup')]" + }, + "alzMonitorResourceGroupLocation": { + "value": "[deployment().location]" + } + } + }, + "policyAssignmentParametersServiceHealth": { + "value": { + "alzMonitorActionGroupEmail": { + "value": "[parameters('emailContactActionGroup')]" + } + } + } + } + } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('preparingToLaunch', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[variables('deploymentNames').initiativeDeploymentName]" + ], + "copy": { + "batchSize": 1, + "count": "[parameters('delayCount')]", + "mode": "Serial", + "name": "policyCompletion" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } + }, + /* + The following deployments will organize the dedicated platform subscriptions into their respective management groups + */ + { + // Placing management subscription into dedicated management group + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').managementManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').management]" + }, + "subscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Placing connectivity subscription into dedicated management group + "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, + { + // Placing identity subscription into dedicated management group + "condition": "[not(empty(parameters('identitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').identityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').identity]" + }, + "subscriptionId": { + "value": "[parameters('identitySubscriptionId')]" + } + } + } + }, + /* + The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones + */ + { + // Deploying Log Analytics workspace to management subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" + } + } + } + }, + { + // Deploying Data Collection Rule for VMInsights if condition is true + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableVmInsights'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleVmInsights]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "userGivenDcrName": { + "value": "[variables('platformResourceNames').dataCollectionRuleVmInsights]" + } + } + } + }, + { + // Deploying Data Collection Rule for Change Tracking if condition is true + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleChangeTracking]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "dataCollectionRuleName": { + "value": "[variables('platformResourceNames').dataCollectionRuleChangeTracking]" + } + } + } + }, + { + // Deploying Data Collection Rule for Mdfc Defender for SQL if condition is true + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').dataCollectionRuleMdfcDefenderSQLDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleMdfcDefenderSQL]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "userGivenDcrName": { + "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]" + } + } + } + }, + { + // Deploying user assigned identity if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').userAssignedIdentityDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').userAssignedIdentity]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "userAssignedIdentityName": { + "value": "[variables('platformResourceNames').userAssignedIdentity]" + }, + "userAssignedIdentityResourceGroup": { + "value": "[variables('platformRgNames').mgmtRg]" + } + } + } + }, + { + // Assigning Log Analytics workspace policy to management management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", + "scope": "[variables('scopes').managementManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + { + // Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('mgmtGroupsArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsArray')[copyIndex()])]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "copy": { + "name": "mgDiagSettings", + "count": "[length(variables('mgmtGroupsArray'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + } + } + } + }, + { + // Deploying Diagnostic Settings to ESLite management groups if Log Analytics was deployed via a loop + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), empty(parameters('managementSubscriptionId')), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('mgmtGroupsESLiteArray')[copyIndex()], variables('deploymentNames').diagnosticSettingsforMGsDeploymentName), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsESLiteArray')[copyIndex()])]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "copy": { + "name": "mgDiagSettings", + "count": "[length(variables('mgmtGroupsESLiteArray'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + } + } + } + }, + { + // Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').asbPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').asbPolicyInitiative]" + }, + "parameters": {} + } + }, + { + // Assigning Workload Specific Customer Managed Keys Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCMKInitiatives'), 'Yes'), not(empty(parameters('wsCMKSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsCMKDeploymentName, '-', replace(parameters('wsCMKSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsCMKSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsCMKmg", + "count": "[length(parameters('wsCMKSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsCMKPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific APIM Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAPIMInitiatives'), 'Yes'), not(empty(parameters('wsAPIMSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsAPIMDeploymentName, '-', replace(parameters('wsAPIMSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsAPIMSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsAPIMmg", + "count": "[length(parameters('wsAPIMSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsAPIMPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific App Services Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAppServicesInitiatives'), 'Yes'), not(empty(parameters('wsAppServicesSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsAppServicesDeploymentName, '-', replace(parameters('wsAppServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsAppServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsAppServicesmg", + "count": "[length(parameters('wsAppServicesSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsAppServicesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Automation Accounts Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAutomationInitiatives'), 'Yes'), not(empty(parameters('wsAutomationSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsAutomationDeploymentName, '-', replace(parameters('wsAutomationSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsAutomationSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsAutomationmg", + "count": "[length(parameters('wsAutomationSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsAutomationPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Cognitive Services Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCognitiveServicesInitiatives'), 'Yes'), not(empty(parameters('wsCognitiveServicesSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsCognitiveServicesDeploymentName, '-', replace(parameters('wsCognitiveServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsCognitiveServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsCognitiveServicesmg", + "count": "[length(parameters('wsCognitiveServicesSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsCognitiveServicesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Compute Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsComputeInitiatives'), 'Yes'), not(empty(parameters('wsComputeSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsComputeDeploymentName, '-', replace(parameters('wsComputeSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsComputeSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsComputemg", + "count": "[length(parameters('wsComputeSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsComputePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Container Apps Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerAppsInitiatives'), 'Yes'), not(empty(parameters('wsContainerAppsSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsContainerAppsDeploymentName, '-', replace(parameters('wsContainerAppsSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsContainerAppsSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsContainerAppsmg", + "count": "[length(parameters('wsContainerAppsSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsContainerAppsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Container Instance Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerInstanceInitiatives'), 'Yes'), not(empty(parameters('wsContainerInstanceSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsContainerInstanceDeploymentName, '-', replace(parameters('wsContainerInstanceSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsContainerInstanceSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsContainerInstancemg", + "count": "[length(parameters('wsContainerInstanceSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsContainerInstancePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Container Registry Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerRegistryInitiatives'), 'Yes'), not(empty(parameters('wsContainerRegistrySelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsContainerRegistryDeploymentName, '-', replace(parameters('wsContainerRegistrySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsContainerRegistrySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsContainerRegistrymg", + "count": "[length(parameters('wsContainerRegistrySelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsContainerRegistryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Cosmos DB Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCosmosDbInitiatives'), 'Yes'), not(empty(parameters('wsCosmosDbSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsCosmosDbDeploymentName, '-', replace(parameters('wsCosmosDbSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsCosmosDbSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsCosmosDbmg", + "count": "[length(parameters('wsCosmosDbSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsCosmosDbPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Data Explorer Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsDataExplorerInitiatives'), 'Yes'), not(empty(parameters('wsDataExplorerSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsDataExplorerDeploymentName, '-', replace(parameters('wsDataExplorerSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsDataExplorerSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsDataExplorermg", + "count": "[length(parameters('wsDataExplorerSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsDataExplorerPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Data Factory Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsDataFactoryInitiatives'), 'Yes'), not(empty(parameters('wsDataFactorySelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsDataFactoryDeploymentName, '-', replace(parameters('wsDataFactorySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsDataFactorySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsDataFactorymg", + "count": "[length(parameters('wsDataFactorySelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsDataFactoryPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Event Grid Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsEventGridInitiatives'), 'Yes'), not(empty(parameters('wsEventGridSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsEventGridDeploymentName, '-', replace(parameters('wsEventGridSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsEventGridSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsEventGridmg", + "count": "[length(parameters('wsEventGridSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsEventGridPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Event Hub Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsEventHubInitiatives'), 'Yes'), not(empty(parameters('wsEventHubSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsEventHubDeploymentName, '-', replace(parameters('wsEventHubSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsEventHubSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsEventHubmg", + "count": "[length(parameters('wsEventHubSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsEventHubPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Key Vault Supplementary Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsKeyVaultSupInitiatives'), 'Yes'), not(empty(parameters('wsKeyVaultSupSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsKeyVaultSupDeploymentName, '-', replace(parameters('wsKeyVaultSupSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsKeyVaultSupSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsKeyVaultSupmg", + "count": "[length(parameters('wsKeyVaultSupSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsKeyVaultSupPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Kubernetes Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsKubernetesInitiatives'), 'Yes'), not(empty(parameters('wsKubernetesSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsKubernetesDeploymentName, '-', replace(parameters('wsKubernetesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsKubernetesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsKubernetessmg", + "count": "[length(parameters('wsKubernetesSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsKubernetesPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Machine Learning Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsMachineLearningInitiatives'), 'Yes'), not(empty(parameters('wsMachineLearningSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsMachineLearningDeploymentName, '-', replace(parameters('wsMachineLearningSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsMachineLearningSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsMachineLearningsmg", + "count": "[length(parameters('wsMachineLearningSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsMachineLearningPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific MySQL Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsMySQLInitiatives'), 'Yes'), not(empty(parameters('wsMySQLSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsMySQLDeploymentName, '-', replace(parameters('wsMySQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsMySQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsMySQLmg", + "count": "[length(parameters('wsMySQLSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsMySQLPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Network and Networking services Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsNetworkInitiatives'), 'Yes'), not(empty(parameters('wsNetworkSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsNetworkDeploymentName, '-', replace(parameters('wsNetworkSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsNetworkSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsNetworkmg", + "count": "[length(parameters('wsNetworkSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsNetworkPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + } + } + } + }, + { + // Assigning Workload Specific OpenAI Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsOpenAIInitiatives'), 'Yes'), not(empty(parameters('wsOpenAISelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsOpenAIDeploymentName, '-', replace(parameters('wsOpenAISelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsOpenAISelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsOpenAImg", + "count": "[length(parameters('wsOpenAISelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsOpenAIPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific PostgreSQL Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsPostgreSQLInitiatives'), 'Yes'), not(empty(parameters('wsPostgreSQLSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsPostgreSQLDeploymentName, '-', replace(parameters('wsPostgreSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsPostgreSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsPostgreSQLmg", + "count": "[length(parameters('wsPostgreSQLSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsPostgreSQLPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Service Bus Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsServiceBusInitiatives'), 'Yes'), not(empty(parameters('wsServiceBusSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsServiceBusDeploymentName, '-', replace(parameters('wsServiceBusSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsServiceBusSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsServiceBusmg", + "count": "[length(parameters('wsServiceBusSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsServiceBusPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific SQL Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsSQLInitiatives'), 'Yes'), not(empty(parameters('wsSQLSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsSQLDeploymentName, '-', replace(parameters('wsSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsSQLmg", + "count": "[length(parameters('wsSQLSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsSQLPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Storage Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsStorageInitiatives'), 'Yes'), not(empty(parameters('wsStorageSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsStorageDeploymentName, '-', replace(parameters('wsStorageSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsStorageSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsStoragemg", + "count": "[length(parameters('wsStorageSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsStoragePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Synapse Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsSynapseInitiatives'), 'Yes'), not(empty(parameters('wsSynapseSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsSynapseDeploymentName, '-', replace(parameters('wsSynapseSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsSynapseSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsSynapsemg", + "count": "[length(parameters('wsSynapseSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsSynapsePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Workload Specific Virtual Desktop Initiaitve to selected management groups if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsVirtualDesktopInitiatives'), 'Yes'), not(empty(parameters('wsVirtualDesktopSelectorMG'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').wsVirtualDesktopDeploymentName, '-', replace(parameters('wsVirtualDesktopSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('wsVirtualDesktopSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "wsVirtualDesktopmg", + "count": "[length(parameters('wsVirtualDesktopSelectorMG'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').wsVirtualDesktopPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "assignmentIndex": { + "value": "[copyIndex()]" + } + } + } + }, + { + // Assigning Regulatory Compliance polices to desired management groups if condition is true + "condition": "[not(empty(parameters('regulatoryComplianceInitativesToAssign')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[take(concat(variables('deploymentNames').regulatoryComplianceInitativesToAssignDeploymentName, if(contains(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, '-'), split(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, '-')[1], parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg), '-', uniqueString(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id)), 64)]", + "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, 'contoso', parameters('enterpriseScaleCompanyPrefix')))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').initiativeDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "regCompAssignments", + "count": "[length(parameters('regulatoryComplianceInitativesToAssign'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').regulatoryComplianceInitaitves]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "policySetDefinitionId": { + "value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id]" + }, + "policySetDefinitionDisplayName": { + "value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.displayName]" + }, + "policySetDefinitionDescription": { + "value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.description]" + }, + "policyAssignmentName": { + "value": "[take(concat('Enforce-RegComp-',uniqueString(replace(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, 'contoso', parameters('enterpriseScaleCompanyPrefix')), parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id)), 24)]" + }, + "logAnalyticsWorkspaceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { + "value": "[parameters('regCompPolParAusGovIsmRestrictedVmAdminsExclude')]" + }, + "regCompPolParAusGovIsmRestrictedResourceTypes": { + "value": "[parameters('regCompPolParAusGovIsmRestrictedResourceTypes')]" + }, + "regCompPolParMPAACertificateThumb": { + "value": "[parameters('regCompPolParMPAACertificateThumb')]" + }, + "regCompPolParMPAAApplicationName": { + "value": "[parameters('regCompPolParMPAAApplicationName')]" + }, + "regCompPolParMPAAStoragePrefix": { + "value": "[parameters('regCompPolParMPAAStoragePrefix')]" + }, + "regCompPolParMPAAResGroupPrefix": { + "value": "[parameters('regCompPolParMPAAResGroupPrefix')]" + }, + "regCompPolParMPAARBatchMetricName": { + "value": "[parameters('regCompPolParMPAARBatchMetricName')]" + }, + "regCompPolParSovBaseConfRegions": { + "value": "[parameters('regCompPolParSovBaseConfRegions')]" + }, + "regCompPolParSovBaseGlobalRegions": { + "value": "[parameters('regCompPolParSovBaseGlobalRegions')]" + }, + "regCompPolParSwift2020VmAdminsInclude": { + "value": "[parameters('regCompPolParSwift2020VmAdminsInclude')]" + }, + "regCompPolParSwift2020DomainFqdn": { + "value": "[parameters('regCompPolParSwift2020DomainFqdn')]" + }, + "regCompPolParCanadaFedPbmmVmAdminsInclude": { + "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsInclude')]" + }, + "regCompPolParCanadaFedPbmmVmAdminsExclude": { + "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsExclude')]" + }, + "regCompPolParCisV2KeyVaultKeysRotateDays": { + "value": "[parameters('regCompPolParCisV2KeyVaultKeysRotateDays')]" + }, + "regCompPolParCmmcL3VmAdminsInclude": { + "value": "[parameters('regCompPolParCmmcL3VmAdminsInclude')]" + }, + "regCompPolParCmmcL3VmAdminsExclude": { + "value": "[parameters('regCompPolParCmmcL3VmAdminsExclude')]" + }, + "regCompPolParHitrustHipaaApplicationName": { + "value": "[parameters('regCompPolParHitrustHipaaApplicationName')]" + }, + "regCompPolParHitrustHipaaStoragePrefix": { + "value": "[parameters('regCompPolParHitrustHipaaStoragePrefix')]" + }, + "regCompPolParHitrustHipaaResGroupPrefix": { + "value": "[parameters('regCompPolParHitrustHipaaResGroupPrefix')]" + }, + "regCompPolParHitrustHipaaCertificateThumb": { + "value": "[parameters('regCompPolParHitrustHipaaCertificateThumb')]" + }, + "regCompPolParIrs1075Sep2016VmAdminsExclude": { + "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsExclude')]" + }, + "regCompPolParIrs1075Sep2016VmAdminsInclude": { + "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsInclude')]" + }, + "regCompPolParNZIsmRestrictedVmAdminsInclude": { + "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsInclude')]" + }, + "regCompPolParNZIsmRestrictedVmAdminsExclude": { + "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsExclude')]" + }, + "regCompPolParNistSp800171R2VmAdminsExclude": { + "value": "[parameters('regCompPolParNistSp800171R2VmAdminsExclude')]" + }, + "regCompPolParNistSp800171R2VmAdminsInclude": { + "value": "[parameters('regCompPolParNistSp800171R2VmAdminsInclude')]" + }, + "regCompPolParSoc2Type2AllowedRegistries": { + "value": "[parameters('regCompPolParSoc2Type2AllowedRegistries')]" + }, + "regCompPolParSoc2Type2MaxCpuUnits": { + "value": "[parameters('regCompPolParSoc2Type2MaxCpuUnits')]" + }, + "regCompPolParSoc2Type2MaxMemoryBytes": { + "value": "[parameters('regCompPolParSoc2Type2MaxMemoryBytes')]" + } + } + } + }, + { + // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceDiagnosticsInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + } + } + } + }, + { + // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').activityDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').activityDiagnosticsPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Assigning Cost Optimization policy initiative to intermediate root management group + "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').costOptimizationDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').costOptimizationPolicyInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Assigning Trusted Launch policy initiative to intermediate root management group + "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').trustedLaunchDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').trustedLaunchPolicyInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Assigning Zone Resilient policy initiative to intermediate root management group + "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').zoneResilientDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').zoneResilientPolicyInitiative]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Audit resource location matches resource group location policy to intermediate root management group + "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').resourceRgLocationDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceRgLocationPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Microsoft Defender for Cloud configurations to subscriptions if condition is true (not policy) + "condition": "[and(equals(parameters('enableAsc'), 'Yes'), not(empty(variables('subscriptionIds'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').MDFCSubscriptionEnableDeploymentName, copyIndex())]", + "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "onlineLzs", + "corpLzs", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "MDFCSubscriptionEnable", + "count": "[length(variables('subscriptionIds'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').MDFCSubscriptionEnablement]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "resourceGroupLocation": { + "value": "[deployment().location]" + }, + "resourceGroupName": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-asc-export')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForKeyVault": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "enableAscForSqlOnVm": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForApis": { + "value": "[parameters('enableAscForApis')]" + }, + "enableAscForCspm": { + "value": "[parameters('enableAscForCspm')]" + }, + "enableAscForOssDb": { + "value": "[parameters('enableAscForOssDb')]" + }, + "enableAscForCosmosDbs": { + "value": "[parameters('enableAscForCosmosDbs')]" + } + } + } + }, + { + // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').mdfcConfigPolicyInitiative]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForServersVulnerabilityAssessments": { + "value": "[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForKeyVault": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "enableAscForSqlOnVm": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForCspm": { + "value": "[parameters('enableAscForCspm')]" + }, + "enableAscForOssDb": { + "value": "[parameters('enableAscForOssDb')]" + }, + "enableAscForCosmosDbs": { + "value": "[parameters('enableAscForCosmosDbs')]" + } + } + } + }, + { + // Assigning Azure Security Center for Open Source Databases configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').atpOssDbPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').atpOssDbPolicyInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableAscForOssDb'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning Azure Security Center for Azure SQL, MI and Synapse Databases configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').atpSqlDbPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').atpSqlDbPolicyInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableAscForSql'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning Microsoft Defender for Endpoints policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mdEndpointsDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').mdEnpointsPolicyInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableMDEndpoints'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning NEW Microsoft Defender for Endpoints policy initiative to intermediate root management group if condition is true: https://www.azadvertizer.net/azpolicyinitiativesadvertizer/77b391e3-2d5d-40c3-83bf-65c846b3c6a3.html + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mdEndpointsAMADeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').mdEnpointsAMAPolicyInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableMDEndpoints'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning Deny Classic Resource Creation policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), not(equals(parameters('denyClassicResources'), 'No')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').denyClassicResourcePolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments',variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').classicResourcesPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + }, + "policyEffect": { + "value": "[if(equals(parameters('denyClassicResources'), 'Yes'), 'Deny', 'Audit')]" + } + } + } + }, + { + // Assigning Deny VM Unmanaged Disk Creation policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), not(equals(parameters('denyVMUnmanagedDisk'), 'No')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').denyVMUnmanagedDiskPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').VMUnmanagedDiskPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "[if(equals(parameters('denyVMUnmanagedDisk'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Az Gov Only - Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.usgovcloudapi.net'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascGovPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').govMdfcPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForContainers": { + "value": "[parameters('enableAscForContainers')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + } + } + } + }, + { + // Assigning Do not allow deletion of resource type Policy to the platform management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').denyActionDeleteUAMIAMAPolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').denyActionDeleteUAMIAMAPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "resourceName": { + "value": "[variables('platformResourceNames').userAssignedIdentity]" + }, + "resourceType": { + "value": "Microsoft.ManagedIdentity/userAssignedIdentities" + } + } + } + }, + /* + The following optional deployment will configure virtual network hub into the connectivity subscription + */ + { + // Creating resource group for DDoS Network Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(or(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosHubPolicyDeploymentName]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Creating the virtual network hub (hub and spoke) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vnetConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForAzFwMgmt": { + "value": "[parameters('subnetMaskForAzFwMgmt')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + { + // Creating the virtual network hub (with NVA) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').nvaConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vwanConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + }, + "enablevWANRoutingIntent": { + "value": "[parameters('enablevWANRoutingIntent')]" + }, + "internetTrafficRoutingPolicy": { + "value": "[parameters('internetTrafficRoutingPolicy')]" + }, + "privateTrafficRoutingPolicy": { + "value": "[parameters('privateTrafficRoutingPolicy')]" + }, + "vWANHubRoutingPreference": { + "value": "[parameters('vWANHubRoutingPreference')]" + }, + "vWanHubCapacity": { + "value": "[parameters('vWANHubCapacity')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableSecondaryRegion')]" + }, + "enableAzFwSecondary": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "firewallSkuSecondary": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZonesSecondary": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxySecondary": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "addressPrefixSecondary": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGwSecondary": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGwSecondary": { + "value": "[parameters('enableErGwSecondary')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "expressRouteScaleUnitSecondary": { + "value": "[parameters('expressRouteScaleUnitSecondary')]" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "[parameters('vpnGateWayScaleUnitSecondary')]" + }, + "enablevWANRoutingIntentSecondary": { + "value": "[parameters('enablevWANRoutingIntentSecondary')]" + }, + "internetTrafficRoutingPolicySecondary": { + "value": "[parameters('internetTrafficRoutingPolicySecondary')]" + }, + "privateTrafficRoutingPolicySecondary": { + "value": "[parameters('privateTrafficRoutingPolicySecondary')]" + }, + "vWANHubRoutingPreferenceSecondary": { + "value": "[parameters('vWANHubRoutingPreferenceSecondary')]" + }, + "vWANHubCapacitySecondary": { + "value": "[parameters('vWANHubCapacitySecondary')]" + } + } + } + }, + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').privateDnsZoneRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + } + } + } }, - "cuaid": "35c42e79-00b3-42eb-a9ac-e542953efb3c", - "ztnPhase1CuaId": "f09f64b8-5cb3-4b16-900d-6ba1df8a597e" - }, - "resources": [ + { + // Creating Private DNS Zones into the connectivity subscription and linking them to a secondary location if provided. + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').privateDnsZonesDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]" + ], + "copy": { + "name": "dnsZones", + "count": "[length(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "connectivityHubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableSecondaryRegion')]" + } + } + } + }, + { + // Creating resource group for Private DNS Zones for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').privateDnsZoneRg2DeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg2]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + } + } + } + }, + { + // Creating Private DNS Zones into the connectivity subscription for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').privateDnsZones2DeploymentName, copyIndex())]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg2]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRg2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]" + ], + "copy": { + "name": "dnsZones", + "count": "[length(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "connectivityHubResourceIdSecondary": { + "value": "placeholder" + }, + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" + }, + "enableHubSecondary": { + "value": "No" + } + } + } + }, /* - The following deployment will create the management group structure for ESLZ and ensure the sustainable, scalable architecture + The following optional deployment will configure virtual network hub into the connectivity subscription for a secondary region */ { - // Creating the ESLZ management group structure - "condition": "[empty(parameters('singlePlatformSubscriptionId'))]", + // Creating the virtual network hub (hub and spoke) in a secondary region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableSecondaryRegion'), 'Yes'), equals(parameters('enableHubSecondary'), 'vhub'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').mgmtGroupDeploymentName]", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vnetConnectivityHub2DeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').managementGroups]" + "uri": "[variables('deploymentUris').vnetConnectivityHub]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHubSecondary')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "subnetMaskForAzFwMgmt": { + "value": "[parameters('subnetMaskForAzFwMgmtSecondary')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" } } } }, { - // Deploying ALZ Custom RBAC Role Definitions + // Creating the virtual network hub (with NVA) in a secondary region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableSecondaryRegion'), 'Yes'), equals(parameters('enableHubSecondary'), 'nva'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').roleDefsDeploymentName]", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').nvaConnectivityHub2DeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHubSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" + } + } + } + }, + { + // Peering the primary hub and the secondary hub (when nva or vhub is selected) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), or(equals(parameters('enableHubSecondary'), 'nva'), equals(parameters('enableHubSecondary'), 'vhub')), equals(parameters('enableSecondaryRegion'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').hubPeeringDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[parameters('connectivityLocation')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identityPeeringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identityPeering2DeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').roleDefinitions]" + "uri": "[variables('deploymentUris').hubVnetPeering]" + }, + "parameters": { + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "hubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocation')]" + }, + "hubLocationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "hubRgName": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]" + }, + "hubRgNameSecondary": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocationSecondary'))]" } } } }, - /* - The following deployments will deploy the required proactive and preventive Azure policies for ESLZ policy driven governance - */ { - // Deploying ESLZ custom policies. Note: all policies should eventually be moved to built-in policies and codebase will be reduced + // Creating route table from first region to second region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').policyDeploymentName]", - "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').vnetConnectivityRouteTableDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRg]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').hubPeeringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetRouting]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "subnetName": { + "value": "AzureFirewallSubnet" + }, + "cidrRange": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + { + // Creating route table from second region to first region + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').vnetConnectivityRouteTable2DeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRgSecondary]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').hubPeeringDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').policyDefinitions]" + "uri": "[variables('deploymentUris').hubVnetRouting]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "subnetName": { + "value": "AzureFirewallSubnet" + }, + "cidrRange": { + "value": "[parameters('addressPrefix')]" + }, + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "hubLocation": { + "value": "[parameters('connectivityLocationSecondary')]" } } } }, + /* + The following deployments will deploy and configure the Azure policy governance for the landing zones + */ { - // One of Azure's untold stories..... + // Deploying Private DNS Zones policy assignment for PaaS services using built-in policies + "condition": "[or(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), equals(parameters('enablePrivateDnsZonesForLzs'), 'Audit'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[concat('preparingToLaunch', copyIndex())]", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').privateDnsPolicyDeploymentName]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "scope": "[variables('scopes').corpManagementGroup]", "dependsOn": [ - "[variables('deploymentNames').policyDeploymentName]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "dnsZones", + "dnsZonesLite", + "policyCompletion" ], - "copy": { - "batchSize": 1, - "count": "[parameters('delayCount')]", - "mode": "Serial", - "name": "policyCompletion" - }, "properties": { "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "templateLink": { "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [], - "outputs": {} + "uri": "[variables('deploymentUris').privateDnsZonePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "dnsZoneResourceGroupId": { + "value": "[variables('platformResourceIds').privateDnsRgResourceId]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), 'Default', 'DoNotEnforce')]" + } } } }, - /* - The following deployments will organize the dedicated platform subscriptions into their respective management groups - */ { - // Placing management subscription into dedicated management group - "condition": "[not(empty(parameters('managementSubscriptionId')))]", + // Assigning RBAC for Private DNS Zone Policy assignment to the connectivity hub + "condition": "[equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').dnsZoneRoleAssignmentDeploymentName]", "location": "[deployment().location]", - "scope": "[variables('scopes').managementManagementGroup]", + "subscriptionId": "[variables('singleVsDedicatedConnectivitySub')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + "[variables('deploymentNames').privateDnsPolicyDeploymentName]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').roleAssignments]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').management]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "subscriptionId": { - "value": "[parameters('managementSubscriptionId')]" + "principalId": { + "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), reference(variables('deploymentNames').privateDnsPolicyDeploymentName).outputs.principalId.value, 'na')]" + }, + "roleDefinitionId": { + "value": "[variables('roleDefinitions').networkContributor]" } } } }, { - // Placing connectivity subscription into dedicated management group - "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + // Assigning Azure Monitor for VMs policy initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "name": "[variables('deploymentNames').azVmMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", - "scope": "[variables('scopes').connectivityManagementGroup]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').azVmMonitorPolicyAssignment]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').connectivity]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]" }, - "subscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Placing identity subscription into dedicated management group - "condition": "[not(empty(parameters('identitySubscriptionId')))]", + // Assigning Azure Monitor for VMs policy initiative to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "name": "[variables('deploymentNames').azVmMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", - "scope": "[variables('scopes').identityManagementGroup]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').azVmMonitorPolicyAssignment]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').identity]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]" }, - "subscriptionId": { - "value": "[parameters('identitySubscriptionId')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" + }, + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, - /* - The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones - */ { - // Deploying Log Analytics workspace to management subscription if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + // Assigning Azure Monitor for VMSS policy initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmssMonitoring'), 'Yes'), equals(parameters('enableVmssMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').monitoringDeploymentName]", + "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoring]" + "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]" }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "automationAccountName": { - "value": "[variables('platformResourceNames').automationAccount]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "automationRegion": { - "value": "[deployment().location]" + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" }, - "retentionInDays": { - "value": "[parameters('retentionInDays')]" + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Deploying Log Analytics solutions to Log Analytics workspace if condition is true - "condition": "[and(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')), equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')), equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')))]", + // Assigning Azure Monitor for VMSS policy initiative to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmssMonitoring'), 'Yes'), equals(parameters('enableVmssMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", + "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", - "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" + "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" - }, - "enableAgentHealth": { - "value": "[parameters('enableAgentHealth')]" - }, - "enableChangeTracking": { - "value": "[parameters('enableChangeTracking')]" - }, - "enableUpdateMgmt": { - "value": "[parameters('enableUpdateMgmt')]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]" }, - "enableVmInsights": { - "value": "[parameters('enableVmInsights')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enableServiceMap": { - "value": "[parameters('enableServiceMap')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "enableSqlAssessment": { - "value": "[parameters('enableSqlAssessment')]" + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" }, - "enableSqlAdvancedThreatProtection": { - "value": "[parameters('enableSqlAdvancedThreatProtection')]" + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" }, - "enableSqlVulnerabilityAssessment": { - "value": "[parameters('enableSqlVulnerabilityAssessment')]" + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Assigning Log Analytics workspace policy to management management group if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + // Assigning Azure Monitor for Arc-enabled VMs policy initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmHybridMonitoring'), 'Yes'), equals(parameters('enableVmHybridMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", - "scope": "[variables('scopes').managementManagementGroup]", + "name": "[variables('deploymentNames').azVmHybridMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + "uri": "[variables('deploymentUris').azVmHybridMonitorPolicyAssignment]" }, "parameters": { + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]" + }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "logAnalyticsWorkspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "automationAccountName": { - "value": "[variables('platformResourceNames').automationAccount]" - }, - "automationRegion": { - "value": "[deployment().location]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "retentionInDays": { - "value": "[parameters('retentionInDays')]" + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]", + // Assigning Azure Monitor for Arc-enabled VMs policy initiative to landing management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmHybridMonitoring'), 'Yes'), equals(parameters('enableVmHybridMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').asbPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').azVmHybridMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').asbPolicyInitiative]" + "uri": "[variables('deploymentUris').azVmHybridMonitorPolicyAssignment]" }, - "parameters": {} + "parameters": { + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" + }, + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" + } + } } }, { - // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + // Assigning Azure Update Manager policy to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').azureUpdateManagerPolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceDiagnosticsInitiative]" + "uri": "[variables('deploymentUris').azureUpdateManagerPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + "enforcementMode": { + "value": "Default" + }, + "assessmentMode": { + "value": "AutomaticByPlatform" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + // Assigning Azure Update Manager policy to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').activityDiagnosticsPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').azureUpdateManagerPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').activityDiagnosticsPolicyAssignment]" + "uri": "[variables('deploymentUris').azureUpdateManagerPolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" - }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + }, + "assessmentMode": { + "value": "AutomaticByPlatform" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" } } } }, { - // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]", + // Assigning ChangeTracking for VMs policy initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ascPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').ChangeTrackingVmDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').mdfcConfigPolicyInitiative]" + "uri": "[variables('deploymentUris').ChangeTrackingVmPolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]" }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "emailContactAsc": { - "value": "[parameters('emailContactAsc')]" - }, - "enableAscForServers": { - "value": "[parameters('enableAscForServers')]" - }, - "enableAscForSql": { - "value": "[parameters('enableAscForSql')]" - }, - "enableAscForAppServices": { - "value": "[parameters('enableAscForAppServices')]" - }, - "enableAscForStorage": { - "value": "[parameters('enableAscForStorage')]" - }, - "enableAscForContainers": { - "value": "[parameters('enableAscForContainers')]" - }, - "enableAscForKeyVault": { - "value": "[parameters('enableAscForKeyVault')]" - }, - "enableAscForSqlOnVm": { - "value": "[parameters('enableAscForSqlOnVm')]" - }, - "enableAscForArm": { - "value": "[parameters('enableAscForArm')]" - }, - "enableAscForDns": { - "value": "[parameters('enableAscForDns')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "enableAscForOssDb": { - "value": "[parameters('enableAscForOssDb')]" + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" }, - "enableAscForCosmosDbs": { - "value": "[parameters('enableAscForCosmosDbs')]" + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Az Gov Only - Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.usgovcloudapi.net'))]", + // Assigning ChangeTracking for VMs policy initiative to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ascGovPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').ChangeTrackingVmDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').govMdfcPolicyAssignment]" + "uri": "[variables('deploymentUris').ChangeTrackingVmPolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]" }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "emailContactAsc": { - "value": "[parameters('emailContactAsc')]" - }, - "enableAscForServers": { - "value": "[parameters('enableAscForServers')]" - }, - "enableAscForSql": { - "value": "[parameters('enableAscForSql')]" - }, - "enableAscForStorage": { - "value": "[parameters('enableAscForStorage')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "enableAscForContainers": { - "value": "[parameters('enableAscForContainers')]" + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" }, - "enableAscForArm": { - "value": "[parameters('enableAscForArm')]" + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" }, - "enableAscForDns": { - "value": "[parameters('enableAscForDns')]" + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, - /* - The following optional deployment will configure virtual network hub into the connectivity subscription - */ { - // Creating resource group for DDoS Network Protection - "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + // Assigning ChangeTracking for VMSS policy initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ddosRgDeploymentName]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "name": "[variables('deploymentNames').ChangeTrackingVmssDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceGroup]" + "uri": "[variables('deploymentUris').ChangeTrackingVmssPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').ddosRg]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]" }, - "location": { - "value": "[parameters('connectivityLocation')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Creating DDoS protection plan into the connectivity subscription - "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + // Assigning ChangeTracking for VMSS policy initiative to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ddosDeploymentName]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", - "resourceGroup": "[variables('platformRgNames').ddosRg]", + "name": "[variables('deploymentNames').ChangeTrackingVmssDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosRgDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').ddosProtection]" + "uri": "[variables('deploymentUris').ChangeTrackingVmssPolicyAssignment]" }, "parameters": { - "ddosName": { - "value": "[variables('platformResourceNames').ddosName]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]" }, - "location": { - "value": "[parameters('connectivityLocation')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" + }, + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" + }, + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true - "condition": "[and(or(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", + // Assigning ChangeTracking for Hyrbid VMs policy initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ddosHubPolicyDeploymentName]", - "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').ChangeTrackingVmArcDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + "uri": "[variables('deploymentUris').ChangeTrackingVmArcPolicyAssignment]" }, "parameters": { - "ddosPlanResourceId": { - "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]" }, "topLevelManagementGroupPrefix": { - "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('enableDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Creating the virtual network hub (hub and spoke) - "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + // Assigning ChangeTracking for Hyrbid VMs policy initiative to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "scope": "[variables('scopes').connectivityManagementGroup]", - "name": "[variables('deploymentNames').vnetConnectivityHubDeploymentName]", + "name": "[variables('deploymentNames').ChangeTrackingVmArcDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]" ], - "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').vnetConnectivityHub]" + "uri": "[variables('deploymentUris').ChangeTrackingVmArcPolicyAssignment]" }, "parameters": { + "dataCollectionRuleResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]" + }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "ddosPlanResourceId": { - "value": "[variables('platformResourceIds').ddosProtectionResourceId]" - }, - "enableHub": { - "value": "[parameters('enableHub')]" - }, - "enableAzFw": { - "value": "[parameters('enableAzFw')]" - }, - "addressPrefix": { - "value": "[parameters('addressPrefix')]" - }, - "enableVpnGw": { - "value": "[parameters('enableVpnGw')]" - }, - "enableErGw": { - "value": "[parameters('enableErGw')]" - }, - "enableDdoS": { - "value": "[parameters('enableDdoS')]" - }, - "location": { - "value": "[parameters('connectivityLocation')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" - }, - "subnetMaskForAzFw": { - "value": "[parameters('subnetMaskForAzFw')]" - }, - "subnetMaskForGw": { - "value": "[parameters('subnetMaskForGw')]" - }, - "firewallSku": { - "value": "[parameters('firewallSku')]" - }, - "firewallZones": { - "value": "[parameters('firewallZones')]" - }, - "enableAzFwDnsProxy": { - "value": "[parameters('enableAzFwDnsProxy')]" - }, - "gwRegionalOrAz": { - "value": "[parameters('gwRegionalOrAz')]" - }, - "gwAzSku": { - "value": "[parameters('gwAzSku')]" - }, - "gwRegionalSku": { - "value": "[parameters('gwRegionalSku')]" - }, - "erRegionalOrAz": { - "value": "[parameters('erRegionalOrAz')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "erAzSku": { - "value": "[parameters('erAzSku')]" + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" }, - "erRegionalSku": { - "value": "[parameters('erRegionalSku')]" + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Creating the virtual network hub (with NVA) - "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + // Assigning MDFC Defender for SQL AMA initiative to platform management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "scope": "[variables('scopes').connectivityManagementGroup]", - "name": "[variables('deploymentNames').nvaConnectivityHubDeploymentName]", + "name": "[variables('deploymentNames').MDFCDefenderSqlAmaDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], - "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').nvaConnectivityHub]" + "uri": "[variables('deploymentUris').MDFCDefenderSqlAma]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "ddosPlanResourceId": { - "value": "[variables('platformResourceIds').ddosProtectionResourceId]" - }, - "enableHub": { - "value": "[parameters('enableHub')]" - }, - "addressPrefix": { - "value": "[parameters('addressPrefix')]" - }, - "enableVpnGw": { - "value": "[parameters('enableVpnGw')]" - }, - "enableErGw": { - "value": "[parameters('enableErGw')]" - }, - "enableDdoS": { - "value": "[parameters('enableDdoS')]" - }, - "location": { - "value": "[parameters('connectivityLocation')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "subnetMaskForGw": { - "value": "[parameters('subnetMaskForGw')]" + "workspaceRegion": { + "value": "[deployment().location]" }, - "gwRegionalOrAz": { - "value": "[parameters('gwRegionalOrAz')]" + "userWorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" }, - "gwAzSku": { - "value": "[parameters('gwAzSku')]" + "bringYourOwnDcr": { + "value": true }, - "gwRegionalSku": { - "value": "[parameters('gwRegionalSku')]" + "dcrResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleMdfcDefenderSqlResourceId]" }, - "erRegionalOrAz": { - "value": "[parameters('erRegionalOrAz')]" + "bringYourOwnUserAssignedManagedIdentity": { + "value": true }, - "erAzSku": { - "value": "[parameters('erAzSku')]" + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" }, - "erRegionalSku": { - "value": "[parameters('erRegionalSku')]" + "scope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Creating the VWAN network hub (Microsoft managed) - "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + // Assigning MDFC Defender for SQL AMA initiative to landing zone management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "scope": "[variables('scopes').connectivityManagementGroup]", - "name": "[variables('deploymentNames').vwanConnectivityHubDeploymentName]", + "name": "[variables('deploymentNames').MDFCDefenderSqlAmaDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').userAssignedIdentityDeploymentName)]" ], - "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').vwanConnectivityHub]" + "uri": "[variables('deploymentUris').MDFCDefenderSqlAma]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enableHub": { - "value": "[parameters('enableHub')]" - }, - "enableAzFw": { - "value": "[parameters('enableAzFw')]" - }, - "firewallSku": { - "value": "[parameters('firewallSku')]" - }, - "firewallZones": { - "value": "[parameters('firewallZones')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" }, - "enableAzFwDnsProxy": { - "value": "[parameters('enableAzFwDnsProxy')]" + "workspaceRegion": { + "value": "[deployment().location]" }, - "addressPrefix": { - "value": "[parameters('addressPrefix')]" + "userWorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" }, - "enableVpnGw": { - "value": "[parameters('enableVpnGw')]" + "bringYourOwnDcr": { + "value": true }, - "enableErGw": { - "value": "[parameters('enableErGw')]" + "dcrResourceId": { + "value": "[variables('platformResourceIds').dataCollectionRuleMdfcDefenderSqlResourceId]" }, - "location": { - "value": "[parameters('connectivityLocation')]" + "bringYourOwnUserAssignedManagedIdentity": { + "value": true }, - "connectivitySubscriptionId": { - "value": "[parameters('connectivitySubscriptionId')]" + "userAssignedIdentityResourceId": { + "value": "[variables('platformResourceIds').userAssignedIdentityResourceId]" }, - "expressRouteScaleUnit": { - "value": "[parameters('expressRouteScaleUnit')]" + "scope": { + "value": "[variables('scopes').lzsManagementGroup]" }, - "vpnGateWayScaleUnit": { - "value": "[parameters('vpnGateWayScaleUnit')]" + "platformScope": { + "value": "[variables('scopes').platformManagementGroup]" } } } }, { - // Creating resource group for Private DNS Zones - "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + // Assigning Azure Backup policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableVmBackup'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').privateDnsZoneRgDeploymentName]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "name": "[variables('deploymentNames').azBackupLzPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceGroup]" + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').privateDnsRg]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "location": { - "value": "[parameters('connectivityLocation')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableVmBackup'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Creating Private DNS Zones into the connectivity subscription - "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + // Assigning DDoS Policy to enforce DDoS on virtual networks in landing zones management group if condition evaluates to true + "condition": "[and(or(equals(parameters('enableLzDdoS'), 'Yes'), equals(parameters('enableLzDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[concat(variables('deploymentNames').privateDnsZonesDeploymentName, copyIndex())]", - "subscriptionId": "[parameters('connectivitySubscriptionId')]", - "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "name": "[variables('deploymentNames').ddosLzPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" ], - "copy": { - "name": "dnsZones", - "count": "[length(variables('privateDnsZonesMerge'))]" - }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').privateDnsZones]" + "uri": "[variables('deploymentUris').ddosPolicyAssignment]" }, "parameters": { - "privateDnsZoneName": { - "value": "[concat(variables('privateDnsZonesMerge')[copyIndex()])]" + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" }, - "connectivityHubResourceId": { - "value": "[variables('platformResourceIds').vNetHubResourceId]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableLzDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, - /* - The following optional deployment will configure and setup AzOps with GitHub for your ESLZ deployment - */ { - // Creating roleAssignment for the dedicated Service Principal for AzOps - "condition": "[and(equals(parameters('enableAzOps'), 'Yes'), not(empty(parameters('principalSecret'))))]", + // Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azOpsRbacDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azOpsRBAC]" + "uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "principalId": { - "value": "[parameters('principalId')]" + "enforcementMode": { + "value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Creating resource group for AzOps - "condition": "[and(equals(parameters('enableAzOps'), 'Yes'), not(empty(parameters('principalSecret'))))]", + // Assigning Aks Priv Escalation policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azOpsRgDeploymentName]", - "subscriptionId": "[variables('azOpsSubscriptionId')]", + "name": "[variables('deploymentNames').aksPrivEscalationPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').azOpsRbacDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceGroup]" + "uri": "[variables('deploymentUris').aksPrivEscalationPolicyAssignment]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').azOpsRg]" - }, - "location": { - "value": "[deployment().location]" + "enforcementMode": { + "value": "[if(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Creating GitHub repository and bootstraps the CICD pipeline - "condition": "[and(equals(parameters('enableAzOps'), 'Yes'), not(empty(parameters('principalSecret'))))]", + // Assigning Aks Priviliged policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('denyAksPrivileged'), 'Yes'), equals(parameters('denyAksPrivileged'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azOpsSetupDeploymentName]", - "subscriptionId": "[variables('azOpsSubscriptionId')]", - "resourceGroup": "[variables('platformRgNames').azOpsRg]", + "name": "[variables('deploymentNames').aksPrivilegedPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').azOpsRbacDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').azOpsRgDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').monitoringSolutionsLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringSolutionsDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "corpLzs", - "onlineLzs" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azOpsSetup]" + "uri": "[variables('deploymentUris').aksPrivilegedPolicyAssignment]" }, "parameters": { - "paToken": { - "value": "[parameters('paToken')]" - }, - "principalSecret": { - "value": "[parameters('principalSecret')]" - }, - "gitHubUserNameOrOrg": { - "value": "[parameters('gitHubUserNameOrOrg')]" - }, - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" - }, - "appId": { - "value": "[parameters('appId')]" - }, - "repositoryName": { - "value": "[parameters('repositoryName')]" + "enforcementMode": { + "value": "[if(equals(parameters('denyAksPrivileged'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, - /* - The following deployments will deploy and configure the Azure policy governance for the landing zones - */ { - // Deploying Private DNS Zones policy assignment for PaaS services using built-in policies - "condition": "[or(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), equals(parameters('enablePrivateDnsZonesForLzs'), 'Audit'))]", + // Assigning Https enforcement for AKS policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('denyHttpIngressForAks'), 'Yes'), equals(parameters('denyHttpIngressForAks'), 'Audit'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').privateDnsPolicyDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').aksHttpsPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", - "scope": "[variables('scopes').corpManagementGroup]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", - "dnsZones", - "dnsZonesLite", "policyCompletion" - ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').privateDnsZonePolicyAssignment]" + "uri": "[variables('deploymentUris').aksHttpsPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "[if(equals(parameters('denyHttpIngressForAks'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning TLS-SSL policy initiative to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableEncryptionInTransit'), 'Yes'), equals(parameters('enableEncryptionInTransit'), 'Audit'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').tlsSslPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').tlsSslPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "location": { - "value": "[parameters('connectivityLocation')]" - }, - "dnsZoneResourceGroupId": { - "value": "[variables('platformResourceIds').privateDnsRgResourceId]" - }, "enforcementMode": { - "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enableEncryptionInTransit'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning RBAC for Private DNS Zone Policy assignment to the connectivity hub - "condition": "[equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes')]", + // Assigning IP Fwd policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('denyIpForwarding'), 'Yes'),equals(parameters('denyIpForwarding'), 'Audit'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ipFwPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ipFwdPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "[if(equals(parameters('denyIpForwarding'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + // Assigning deny public endpoint initiative to corp connected landing zones management group if condition is true + "condition": "[or(equals(parameters('denyPublicEndpoints'), 'Yes'),equals(parameters('denyPublicEndpoints'), 'Audit'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-10-01", - "name": "[variables('deploymentNames').dnsZoneRoleAssignmentDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').publicEndpointPolicyDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", - "subscriptionId": "[variables('singleVsDedicatedConnectivitySub')]", "dependsOn": [ - "[variables('deploymentNames').privateDnsPolicyDeploymentName]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').roleAssignments]" + "uri": "[variables('deploymentUris').publicEndpointPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "principalId": { - "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), reference(variables('deploymentNames').privateDnsPolicyDeploymentName).outputs.principalId.value, 'na')]" - }, - "roleDefinitionId": { - "value": "[variables('roleDefinitions').networkContributor]" + "enforcementMode": { + "value": "[if(equals(parameters('denyPublicEndpoints'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Monitor for VMs policy initiative to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')))]", + // Assigning deny NIC with Public IP policy to corp connected landing zones management group if condition is true + "condition": "[or(equals(parameters('denyPipOnNicforCorp'), 'Yes'), equals(parameters('denyPipOnNicforCorp'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azVmMonitorPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').pipOnNicPolicyDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azVmMonitorPolicyAssignment]" + "uri": "[variables('deploymentUris').pipOnNicPolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" - }, - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" - }, "enforcementMode": { - "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('denyPipOnNicforCorp'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Monitor for VMSS policy initiative to intermediate root management group if condition is true - "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmssMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')))]", + // Assigning deny management ports from internet policy landing zones management group if condition is true + "condition": "[or(equals(parameters('denyMgmtPorts'), 'Yes'), equals(parameters('denyMgmtPorts'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]", - "scope": "[variables('scopes').eslzRootManagementGroup]", + "name": "[variables('deploymentNames').mgmtFromInternetPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]" + "uri": "[variables('deploymentUris').mgmtFromInternetPolicyAssignment]" }, "parameters": { - "logAnalyticsResourceId": { - "value": "[variables('platformResourceIds').logAnalyticsResourceId]" - }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('enableVmssMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('denyMgmtPorts'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Backup policy to landing zones management group if condition is true - "condition": "[or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableVmBackup'), 'Audit'))]", + // Assigning deny storage without https policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableStorageHttps'), 'Yes'), equals(parameters('enableStorageHttps'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azBackupLzPolicyDeploymentName]", + "name": "[variables('deploymentNames').storageHttpsPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -2190,55 +6441,49 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" + "uri": "[variables('deploymentUris').storageHttpsPolicyAssignment]" }, "parameters": { - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" - }, "enforcementMode": { - "value": "[if(equals(parameters('enableVmBackup'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enableStorageHttps'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning DDoS Policy to enforce DDoS on virtual networks in landing zones management group if condition evaluates to true - "condition": "[and(or(equals(parameters('enableLzDdoS'), 'Yes'), equals(parameters('enableLzDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]", + // Assigning Key Vault guardrails initiative to landing zones management group if condition is true + "condition": "[or(equals(parameters('enforceKvGuardrails'), 'Yes'), equals(parameters('enforceKvGuardrails'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ddosLzPolicyDeploymentName]", + "name": "[variables('deploymentNames').kvGuardrailsPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "policyCompletion" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + "uri": "[variables('deploymentUris').kvGuardrailsPolicyAssignment]" }, "parameters": { - "ddosPlanResourceId": { - "value": "[variables('platformResourceIds').ddosProtectionResourceId]" - }, "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('enableLzDdoS'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enforceKvGuardrails'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Policy to prevent Databricks using public IP - "condition": "[or(equals(parameters('denyDatabricksPip'), 'Yes'), equals(parameters('denyDatabricksPip'), 'Audit'))]", + // Assigning Key Vault guardrails initiative to platform management group if condition is true + "condition": "[or(equals(parameters('enforceKvGuardrailsPlat'), 'Yes'), equals(parameters('enforceKvGuardrailsPlat'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').databricksPipDeploymentName]", - "scope": "[variables('scopes').corpManagementGroup]", + "name": "[variables('deploymentNames').kvGuardrailsPolicyPlatDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2247,25 +6492,25 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').databricksPip]" + "uri": "[variables('deploymentUris').kvGuardrailsPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('denyDatabricksPip'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enforceKvGuardrailsPlat'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Policy to prevent Databricks sku - "condition": "[or(equals(parameters('denyDatabricksSku'), 'Yes'), equals(parameters('denyDatabricksSku'), 'Audit'))]", + // Assigning Azure Recovery Services - Backup and Site Recovery - guardrails initiative to landing zones management group if condition is true + "condition": "[or(equals(parameters('enforceBackup'), 'Yes'), equals(parameters('enforceBackup'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').databricksSkuDeploymentName]", - "scope": "[variables('scopes').corpManagementGroup]", + "name": "[variables('deploymentNames').backupPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2274,25 +6519,25 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').databricksSku]" + "uri": "[variables('deploymentUris').backupPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('denyDatabricksSku'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enforceBackup'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Policy to prevent Databricks sku - "condition": "[or(equals(parameters('denyDatabricksVnet'), 'Yes'), equals(parameters('denyDatabricksVnet'), 'Audit'))]", + // Assigning Azure Recovery Services - Backup and Site Recovery - guardrails initiative to platform management group if condition is true + "condition": "[or(equals(parameters('enforceBackupPlat'), 'Yes'), equals(parameters('enforceBackupPlat'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').databricksVnetDeploymentName]", - "scope": "[variables('scopes').corpManagementGroup]", + "name": "[variables('deploymentNames').backupPlatPolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2301,25 +6546,25 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').databricksVnet]" + "uri": "[variables('deploymentUris').backupPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('denyDatabricksVnet'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enforceBackupPlat'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true - "condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]", + // Assigning policy to deny deployment of vWAN/ER/VPN Gateways to corp management group if condition is true + "condition": "[or(equals(parameters('denyHybridNetworking'), 'Yes'), equals(parameters('denyHybridNetworking'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManagementGroup]", + "name": "[variables('deploymentNames').denyHybridNetworkingPolicyDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2328,25 +6573,22 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]" + "uri": "[variables('deploymentUris').denyHybridNetworkingPolicyAssignment]" }, "parameters": { - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" - }, "enforcementMode": { - "value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('denyHybridNetworking'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Aks Priv Escalation policy to landing zones management group if condition is true - "condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]", + // Assigning policy to audit deployment of Private Link Private DNS Zones to corp landing zones management group if condition is true + "condition": "[or(equals(parameters('auditPeDnsZones'), 'Yes'), equals(parameters('auditPeDnsZones'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').aksPrivEscalationPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManagementGroup]", + "name": "[variables('deploymentNames').auditPeDnsZonesPolicyDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2355,21 +6597,27 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').aksPrivEscalationPolicyAssignment]" + "uri": "[variables('deploymentUris').auditPeDnsZonesPolicyAssignment]" }, "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "privateLinkDnsZones": { + "value": "[variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')]" + }, "enforcementMode": { - "value": "[if(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('auditPeDnsZones'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Aks Priviliged policy to landing zones management group if condition is true - "condition": "[or(equals(parameters('denyAksPrivileged'), 'Yes'), equals(parameters('denyAksPrivileged'), 'Audit'))]", + // Assigning policy to audit deployment of WAF on Application Gateways to landing zones management group if condition is true + "condition": "[or(equals(parameters('auditAppGwWaf'), 'Yes'), equals(parameters('auditAppGwWaf'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').aksPrivilegedPolicyDeploymentName]", + "name": "[variables('deploymentNames').auditAppGWWafPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -2379,22 +6627,22 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').aksPrivilegedPolicyAssignment]" + "uri": "[variables('deploymentUris').auditAppGwWafPolicyAssignment]" }, "parameters": { "enforcementMode": { - "value": "[if(equals(parameters('denyAksPrivileged'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('auditAppGwWaf'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning Https enforcement for AKS policy to landing zones management group if condition is true - "condition": "[or(equals(parameters('denyHttpIngressForAks'), 'Yes'), equals(parameters('denyHttpIngressForAks'), 'Audit'))]", + // Assigning policy to audit Azure Compute Security Baseline compliance to the landing zones management group if condition is true + "condition": "[or(equals(parameters('enforceACSB'), 'Yes'), equals(parameters('enforceACSB'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').aksHttpsPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManagementGroup]", + "name": "[variables('deploymentNames').enforceACSBPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2403,21 +6651,24 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').aksHttpsPolicyAssignment]" + "uri": "[variables('deploymentUris').enforceACSBPolicyAssignment]" }, "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, "enforcementMode": { - "value": "[if(equals(parameters('denyHttpIngressForAks'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('enforceACSB'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning TLS-SSL policy initiative to landing zones management group if condition is true - "condition": "[or(equals(parameters('enableEncryptionInTransit'), 'Yes'), equals(parameters('enableEncryptionInTransit'), 'Audit'))]", + // Assigning deny subnet without nsg policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('denySubnetWithoutNsg'), 'Yes'), equals(parameters('denySubnetWithoutNsg'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').tlsSslPolicyDeploymentName]", + "name": "[variables('deploymentNames').subnetNsgPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -2427,102 +6678,117 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').tlsSslPolicyAssignment]" + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "[if(equals(parameters('enableEncryptionInTransit'), 'Yes'), 'Default', 'DoNotEnforce')]" + "value": "[if(equals(parameters('denySubnetWithoutNsg'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning IP Fwd policy to landing zones management group if condition is true - "condition": "[equals(parameters('denyIpForwarding'), 'Yes')]", + // Assigning sql audit policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableSqlAudit'), 'Yes'), equals(parameters('enableSqlAudit'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').ipFwPolicyDeploymentName]", + "name": "[variables('deploymentNames').sqlAuditPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').ipFwdPolicyAssignment]" + "uri": "[variables('deploymentUris').sqlAuditPolicyAssignment]" }, "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, "enforcementMode": { - "value": "Default" + "value": "[if(equals(parameters('enableSqlAudit'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning deny public endpoint initiative to corp connected landing zones management group if condition is true - "condition": "[equals(parameters('denyPublicEndpoints'), 'Yes')]", + // Assigning Log Analytics Contributor RBAC Role for SQL Auditing Assignment on Management Subscription + "condition": "[equals(parameters('enableSqlAudit'), 'Yes')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').publicEndpointPolicyDeploymentName]", - "scope": "[variables('scopes').corpManagementGroup]", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').sqlAuditRoleAssignmentDeploymentName1]", "location": "[deployment().location]", + "subscriptionId": "[variables('singleVsDedicatedMgmtSub')]", "dependsOn": [ - "policyCompletion" + "[variables('deploymentNames').sqlAuditPolicyDeploymentName]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').publicEndpointPolicyAssignment]" + "uri": "[variables('deploymentUris').roleAssignments]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enforcementMode": { - "value": "Default" + "principalId": { + "value": "[if(equals(parameters('enableSqlAudit'), 'Yes'), reference(variables('deploymentNames').sqlAuditPolicyDeploymentName).outputs.principalId.value, 'na')]" + }, + "roleDefinitionId": { + "value": "92aaf0da-9dab-42b6-94a3-d43ce8d16293" } } } }, { - // Assigning deny rpd from internet policy landing zones management group if condition is true - "condition": "[equals(parameters('denyRdp'), 'Yes')]", + // Assigning SQL Security Manager RBAC Role for SQL Auditing Assignment on Management Subscription + "condition": "[equals(parameters('enableSqlAudit'), 'Yes')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').rdpFromInternetPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManagementGroup]", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').sqlAuditRoleAssignmentDeploymentName2]", "location": "[deployment().location]", + "subscriptionId": "[variables('singleVsDedicatedMgmtSub')]", "dependsOn": [ - "policyCompletion" + "[variables('deploymentNames').sqlAuditPolicyDeploymentName]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + "uri": "[variables('deploymentUris').roleAssignments]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enforcementMode": { - "value": "Default" + "principalId": { + "value": "[if(equals(parameters('enableSqlAudit'), 'Yes'), reference(variables('deploymentNames').sqlAuditPolicyDeploymentName).outputs.principalId.value, 'na')]" + }, + "roleDefinitionId": { + "value": "056cd41c-7e88-42e1-933e-88ba6a50c9c3" } } } }, { - // Assigning deny storage without https policy to landing zones management group if condition is true - "condition": "[equals(parameters('enableStorageHttps'), 'Yes')]", + // Assigning sql encryption policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableSqlEncryption'), 'Yes'), equals(parameters('enableSqlEncryption'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').storageHttpsPolicyDeploymentName]", + "name": "[variables('deploymentNames').sqlEncryptionPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -2532,21 +6798,24 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').storageHttpsPolicyAssignment]" + "uri": "[variables('deploymentUris').sqlEncryptionPolicyAssignment]" }, "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, "enforcementMode": { - "value": "Default" + "value": "[if(equals(parameters('enableSqlEncryption'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning deny subnet without nsg policy to landing zones management group if condition is true - "condition": "[equals(parameters('denySubnetWithoutNsg'), 'Yes')]", + // Assigning sql threat detection policy to landing zones management group if condition is true + "condition": "[or(equals(parameters('enableSqlThreat'), 'Yes'), equals(parameters('enableSqlThreat'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').subnetNsgPolicyDeploymentName]", + "name": "[variables('deploymentNames').sqlThreatPolicyDeploymentName]", "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -2556,25 +6825,25 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + "uri": "[variables('deploymentUris').sqlThreatPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "Default" + "value": "[if(equals(parameters('enableSqlThreat'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning sql audit policy to landing zones management group if condition is true - "condition": "[equals(parameters('enableSqlAudit'), 'Yes')]", + // Assigning decommissioned initiative to decommissioned management group if condition is true + "condition": "[or(equals(parameters('enableDecommissioned'), 'Yes'), equals(parameters('enableDecommissioned'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').sqlAuditPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManagementGroup]", + "name": "[variables('deploymentNames').decommissionPolicyDeploymentName]", + "scope": "[variables('scopes').decommissionedManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2583,25 +6852,25 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').sqlAuditPolicyAssignment]" + "uri": "[variables('deploymentUris').decommissionPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "Default" + "value": "[if(equals(parameters('enableDecommissioned'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { - // Assigning sql encryption policy to landing zones management group if condition is true - "condition": "[equals(parameters('enableSqlEncryption'), 'Yes')]", + // Assigning sandbox initiative to sandbox management group if condition is true + "condition": "[or(equals(parameters('enableSandbox'), 'Yes'), equals(parameters('enableSandbox'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').sqlEncryptionPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManagementGroup]", + "name": "[variables('deploymentNames').sandboxPolicyDeploymentName]", + "scope": "[variables('scopes').sandboxManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "policyCompletion" @@ -2610,14 +6879,14 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').sqlEncryptionPolicyAssignment]" + "uri": "[variables('deploymentUris').sandboxPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, "enforcementMode": { - "value": "Default" + "value": "[if(equals(parameters('enableSandbox'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } @@ -2706,11 +6975,11 @@ } }, { - // Assigning deny rpd from internet on identity management group if condition is true - "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + // Assigning deny management ports from internet on identity management group if condition is true + "condition": "[and(equals(parameters('denyMgmtPortsForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').rdpFromInternetIdentityPolicyDeploymentName]", + "name": "[variables('deploymentNames').mgmtFromInternetIdentityPolicyDeploymentName]", "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -2721,7 +6990,7 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + "uri": "[variables('deploymentUris').mgmtFromInternetPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { @@ -2734,7 +7003,7 @@ } }, { - // Peer vnet in identity subscription to connectivity hub if vhub or nva contidion is true + // Peer vnet in identity subscription to connectivity hub if vhub or nva condition is true "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('identityAddressPrefix'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", @@ -2781,17 +7050,111 @@ } }, { - // Peer vnet in identity subscription to connectivity hub if vwan contidion is true - "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('identityAddressPrefix'))))]", + // Peer vnet in identity subscription to connectivity hub in a secondary region if vhub or nva condition is true + "condition": "[and(or(equals(parameters('enableHubSecondary'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('identityAddressPrefixSecondary'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityPeering2DeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('connectivityLocationSecondary')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRgSecondary]" + }, + "vNetName": { + "value": "[take(concat(variables('platformResourceNames').identityVnetSecondary, '-', uniqueString(parameters('identitySubscriptionId'))), 64)]" + }, + "vNetLocation": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefixSecondary')]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxySecondary'), 'Yes'), variables('platformResourceIds').azFirewallResourceIdSecondary, '')]" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vwan condition is true + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityVwanPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('connectivityLocation')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVwanPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[take(concat(variables('platformResourceNames').identityVnet, '-', uniqueString(parameters('identitySubscriptionId'))), 64)]" + }, + "vNetLocation": { + "value": "[parameters('connectivityLocation')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "vWanHubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vwan condition is true + "condition": "[and(equals(parameters('enableHubSecondary'), 'vwan'), not(empty(parameters('identityAddressPrefixSecondary'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-06-01", - "name": "[variables('deploymentNames').identityVwanPeeringDeploymentName]", + "name": "[variables('deploymentNames').identityVwanPeering2DeploymentName]", "subscriptionId": "[parameters('identitySubscriptionId')]", - "location": "[parameters('connectivityLocation')]", + "location": "[parameters('connectivityLocationSecondary')]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHub2DeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHub2DeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", @@ -2807,22 +7170,22 @@ }, "parameters": { "vNetRgName": { - "value": "[variables('platformRgNames').identityVnetRg]" + "value": "[variables('platformRgNames').identityVnetRgSecondary]" }, "vNetName": { - "value": "[take(concat(variables('platformResourceNames').identityVnet, '-', uniqueString(parameters('identitySubscriptionId'))), 64)]" + "value": "[take(concat(variables('platformResourceNames').identityVnetSecondary, '-', uniqueString(parameters('identitySubscriptionId'))), 64)]" }, "vNetLocation": { - "value": "[parameters('connectivityLocation')]" + "value": "[parameters('connectivityLocationSecondary')]" }, "vNetCidrRange": { - "value": "[parameters('identityAddressPrefix')]" + "value": "[parameters('identityAddressPrefixSecondary')]" }, "vWanHubResourceId": { - "value": "[variables('platformResourceIds').vWanHubResourceId]" + "value": "[variables('platformResourceIds').vWanHubResourceIdSecondary]" }, "azureFirewallResourceId": { - "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + "value": "[if(equals(parameters('enableAzFwDnsProxySecondary'), 'Yes'), variables('platformResourceIds').azFirewallResourceIdSecondary, '')]" } } } @@ -3092,351 +7455,823 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').subscriptionPlacement]" + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').platform]" + }, + "subscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription + */ + { + // Deploying Log Analytics workspace to platform subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + }, + "enableSentinel": { + "value": "[parameters('enableSentinel')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription + */ + { + // Deploying user assigned identity if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').userAssignedIdentityLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').userAssignedIdentity]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "userAssignedIdentityName": { + "value": "[variables('platformResourceNames').userAssignedIdentity]" + }, + "userAssignedIdentityResourceGroup": { + "value": "[variables('platformRgNames').mgmtRg]" + } + } + } + }, + /* + Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group + */ + { + // Assigning Log Analytics workspace policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').logAnalyticsLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for DDoS Network Protection to platform subscription + */ + { + // Creating resource group for DDoS Network Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + /* + Note: ES Lite only: deploy DDoS Network Protection + */ + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosRgLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for Private DNS zones to platform subscription + */ + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for Private DNS zones to platform subscription in a secondary region + */ + { + // Creating resource group for Private DNS Zones for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLite2DeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" }, "parameters": { - "targetManagementGroupId": { - "value": "[variables('mgmtGroups').platform]" + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg2]" }, - "subscriptionId": { - "value": "[parameters('singlePlatformSubscriptionId')]" + "location": { + "value": "[parameters('connectivityLocationSecondary')]" } } } }, - /* - Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription + /* + Note: ES Lite only: deploy private DNS zones for primary region */ { - // Deploying Log Analytics workspace to platform subscription if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + // Creating Private DNS Zones into the connectivity subscription for only a primary region, and linking them to the secondary if provided. + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').monitoringLiteDeploymentName]", - "location": "[deployment().location]", + "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLiteDeploymentName, copyIndex())]", "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]" ], + "copy": { + "name": "dnsZonesLite", + "count": "[length(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoring]" + "uri": "[variables('deploymentUris').privateDnsZones]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')[copyIndex()])]" }, - "workspaceRegion": { - "value": "[deployment().location]" + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" }, - "automationAccountName": { - "value": "[variables('platformResourceNames').automationAccount]" + "connectivityHubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" }, - "automationRegion": { - "value": "[deployment().location]" + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" }, - "retentionInDays": { - "value": "[parameters('retentionInDays')]" + "enableHubSecondary": { + "value": "[parameters('enableHubSecondary')]" } } } }, /* - Note: ES Lite only: the following deployments will deploy Log Analytics solutions to the platform subscription + Note: ES Lite only: deploy private DNS zones in a secondary region */ { - // Deploying Log Analytics solutions to Log Analytics workspace if condition is true - "condition": "[and(and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')), equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')), equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')))]", + // Creating Private DNS Zones into the connectivity subscription for a secondary region + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]", - "location": "[deployment().location]", + "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLite2DeploymentName, copyIndex())]", "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg2]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]" ], + "copy": { + "name": "dnsZonesLite", + "count": "[length(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved'))]" + }, "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').monitoringSolutions]" + "uri": "[variables('deploymentUris').privateDnsZones]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "workspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "enableSecuritySolution": { - "value": "[parameters('enableSecuritySolution')]" - }, - "enableAgentHealth": { - "value": "[parameters('enableAgentHealth')]" - }, - "enableChangeTracking": { - "value": "[parameters('enableChangeTracking')]" - }, - "enableUpdateMgmt": { - "value": "[parameters('enableUpdateMgmt')]" - }, - "enableVmInsights": { - "value": "[parameters('enableVmInsights')]" + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZonesMergedWithBackupPlaceholderRemoved')[copyIndex()])]" }, - "enableServiceMap": { - "value": "[parameters('enableServiceMap')]" + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" }, - "enableSqlAssessment": { - "value": "[parameters('enableSqlAssessment')]" + "connectivityHubResourceIdSecondary": { + "value": "placeholder" }, - "enableSqlAdvancedThreatProtection": { - "value": "[parameters('enableSqlAdvancedThreatProtection')]" + "enablePrivateDnsZonesSecondary": { + "value": "[parameters('enablePrivateDnsZonesSecondary')]" }, - "enableSqlVulnerabilityAssessment": { - "value": "[parameters('enableSqlVulnerabilityAssessment')]" + "enableHubSecondary": { + "value": "No" } } } }, /* - Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group + Note: ES Lite only: assign DDoS policy for landing zones */ { - // Assigning Log Analytics workspace policy to platform management group if condition is true - "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(and(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').logAnalyticsLitePolicyDeploymentName]", + "name": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]", "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosLiteDeploymentName)]" ], "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + "uri": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]" }, "parameters": { - "topLevelManagementGroupPrefix": { - "value": "[parameters('enterpriseScaleCompanyPrefix')]" - }, - "rgName": { - "value": "[variables('platformRgNames').mgmtRg]" - }, - "logAnalyticsWorkspaceName": { - "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" - }, - "workspaceRegion": { - "value": "[deployment().location]" - }, - "automationAccountName": { - "value": "[variables('platformResourceNames').automationAccount]" + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" }, - "automationRegion": { - "value": "[deployment().location]" + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" }, - "retentionInDays": { - "value": "[parameters('retentionInDays')]" + "enforcementMode": { + "value": "Default" } } } }, /* - Note: ES Lite only: deploy RG for DDoS Network Protection to platform subscription + Note: ES Lite only: deploys hub and spoke */ { - // Creating resource group for DDoS Network Protection - "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + // Configuring and deploying the connectivity hub (hub and spoke) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').ddosRgLiteDeploymentName]", - "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", - "location": "[deployment().location]", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" ], + "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceGroup]" + "uri": "[variables('deploymentUris').vnetConnectivityHub]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').ddosRg]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" }, "location": { "value": "[parameters('connectivityLocation')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForAzFwMgmt": { + "value": "[parameters('subnetMaskForAzFwMgmt')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" } } } }, /* - Note: ES Lite only: deploy DDoS Network Protection + Note: ES Lite only: deploys virtual hub (NVA) */ { - // Creating DDoS protection plan into the connectivity subscription - "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + // Configuring and deploying the connectivity hub (NVA) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').ddosLiteDeploymentName]", - "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", - "resourceGroup": "[variables('platformRgNames').ddosRg]", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosRgLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" ], + "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').ddosProtection]" + "uri": "[variables('deploymentUris').nvaConnectivityHub]" }, "parameters": { - "ddosName": { - "value": "[variables('platformResourceNames').ddosName]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActive')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" }, - "location": { - "value": "[parameters('connectivityLocation')]" + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" } } } }, /* - Note: ES Lite only: deploy RG for Private DNS zones to platform subscription + Note: ES Lite only: deploys VWAN hub (Microsoft Managed) */ { - // Creating resource group for Private DNS Zones - "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName]", - "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", - "location": "[deployment().location]", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" ], + "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').resourceGroup]" + "uri": "[variables('deploymentUris').vwanConnectivityHub]" }, "parameters": { - "rgName": { - "value": "[variables('platformRgNames').privateDnsRg]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" }, "location": { "value": "[parameters('connectivityLocation')]" - } - } - } - }, - /* - Note: ES Lite only: deploy private DNS zones - */ - { - // Creating Private DNS Zones into the connectivity subscription - "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLiteDeploymentName, copyIndex())]", - "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", - "resourceGroup": "[variables('platformRgNames').privateDnsRg]", - "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" - ], - "copy": { - "name": "dnsZonesLite", - "count": "[length(variables('privateDnsZonesMerge'))]" - }, - "properties": { - "mode": "Incremental", - "templateLink": { - "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').privateDnsZones]" - }, - "parameters": { - "privateDnsZoneName": { - "value": "[concat(variables('privateDnsZonesMerge')[copyIndex()])]" }, - "connectivityHubResourceId": { - "value": "[variables('platformResourceIds').vNetHubResourceId]" + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + }, + "enablevWANRoutingIntent": { + "value": "[parameters('enablevWANRoutingIntent')]" + }, + "internetTrafficRoutingPolicy": { + "value": "[parameters('internetTrafficRoutingPolicy')]" + }, + "privateTrafficRoutingPolicy": { + "value": "[parameters('privateTrafficRoutingPolicy')]" + }, + "vWANHubRoutingPreference": { + "value": "[parameters('vWANHubRoutingPreference')]" + }, + "vWanHubCapacity": { + "value": "[parameters('vWANHubCapacity')]" + }, + "enableHubSecondary": { + "value": "[parameters('enableHubSecondary')]" + }, + "enableAzFwSecondary": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "firewallSkuSecondary": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZonesSecondary": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxySecondary": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "addressPrefixSecondary": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGwSecondary": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGwSecondary": { + "value": "[parameters('enableErGwSecondary')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "expressRouteScaleUnitSecondary": { + "value": "[parameters('expressRouteScaleUnitSecondary')]" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "[parameters('vpnGateWayScaleUnitSecondary')]" + }, + "enablevWANRoutingIntentSecondary": { + "value": "[parameters('enablevWANRoutingIntentSecondary')]" + }, + "internetTrafficRoutingPolicySecondary": { + "value": "[parameters('internetTrafficRoutingPolicySecondary')]" + }, + "privateTrafficRoutingPolicySecondary": { + "value": "[parameters('privateTrafficRoutingPolicySecondary')]" + }, + "vWANHubRoutingPreferenceSecondary": { + "value": "[parameters('vWANHubRoutingPreferenceSecondary')]" + }, + "vWANHubCapacitySecondary": { + "value": "[parameters('vWANHubCapacitySecondary')]" } } } }, - /* - Note: ES Lite only: assign DDoS policy for landing zones + /* + Note: ES Lite only: deploys hub and spoke in a secondary region */ { - // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true - "condition": "[and(and(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'Yes'))]", + // Configuring and deploying the connectivity hub (hub and spoke) in a secondary region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableSecondaryRegion'), 'Yes'), equals(parameters('enableHubSecondary'), 'vhub'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]", + "apiVersion": "2019-05-01", "scope": "[variables('scopes').platformManagementGroup]", - "location": "[deployment().location]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" ], + "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]" + "uri": "[variables('deploymentUris').vnetConnectivityHub]" }, "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, "ddosPlanResourceId": { "value": "[variables('platformResourceIds').ddosProtectionResourceId]" }, - "topLevelManagementGroupPrefix": { - "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + "enableHub": { + "value": "[parameters('enableHubSecondary')]" }, - "enforcementMode": { - "value": "Default" + "enableAzFw": { + "value": "[parameters('enableAzFwSecondary')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefixSecondary')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGwSecondary')]" + }, + "enableErGw": { + "value": "[parameters('enableErGwSecondary')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" + }, + "subnetMaskForAzFwMgmt": { + "value": "[parameters('subnetMaskForAzFwMgmtSecondary')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGwSecondary')]" + }, + "firewallSku": { + "value": "[parameters('firewallSkuSecondary')]" + }, + "firewallZones": { + "value": "[parameters('firewallZonesSecondary')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxySecondary')]" + }, + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAzSecondary')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" } } } }, /* - Note: ES Lite only: deploys hub and spoke + Note: ES Lite only: deploys virtual hub (NVA) in a secondary region */ { - // Configuring and deploying the connectivity hub (hub and spoke) - "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + // Configuring and deploying the connectivity hub (NVA) in a secondary region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableSecondaryRegion'), 'Yes'), equals(parameters('enableHubSecondary'), 'nva'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-05-01", "scope": "[variables('scopes').platformManagementGroup]", - "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName]", + "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", @@ -3449,7 +8284,7 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').vnetConnectivityHub]" + "uri": "[variables('deploymentUris').nvaConnectivityHub]" }, "parameters": { "topLevelManagementGroupPrefix": { @@ -3459,203 +8294,303 @@ "value": "[variables('platformResourceIds').ddosProtectionResourceId]" }, "enableHub": { - "value": "[parameters('enableHub')]" - }, - "enableAzFw": { - "value": "[parameters('enableAzFw')]" + "value": "[parameters('enableHubSecondary')]" }, "addressPrefix": { - "value": "[parameters('addressPrefix')]" + "value": "[parameters('addressPrefixSecondary')]" }, "enableVpnGw": { - "value": "[parameters('enableVpnGw')]" + "value": "[parameters('enableVpnGwSecondary')]" }, "enableErGw": { - "value": "[parameters('enableErGw')]" + "value": "[parameters('enableErGwSecondary')]" }, "enableDdoS": { "value": "[parameters('enableDdoS')]" }, "location": { - "value": "[parameters('connectivityLocation')]" + "value": "[parameters('connectivityLocationSecondary')]" }, "connectivitySubscriptionId": { "value": "[parameters('singlePlatformSubscriptionId')]" }, - "subnetMaskForAzFw": { - "value": "[parameters('subnetMaskForAzFw')]" - }, "subnetMaskForGw": { - "value": "[parameters('subnetMaskForGw')]" - }, - "firewallSku": { - "value": "[parameters('firewallSku')]" + "value": "[parameters('subnetMaskForGwSecondary')]" }, - "firewallZones": { - "value": "[parameters('firewallZones')]" - }, - "enableAzFwDnsProxy": { - "value": "[parameters('enableAzFwDnsProxy')]" + "enableVpnActiveActive": { + "value": "[parameters('enableVpnActiveActiveSecondary')]" }, "gwRegionalOrAz": { - "value": "[parameters('gwRegionalOrAz')]" + "value": "[parameters('gwRegionalOrAzSecondary')]" }, "gwAzSku": { - "value": "[parameters('gwAzSku')]" + "value": "[parameters('gwAzSkuSecondary')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSkuSecondary')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAzSecondary')]" + }, + "erAzSku": { + "value": "[parameters('erAzSkuSecondary')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSkuSecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploys peering between hub networks in the primary and secondary region + */ + { + // Peering the primary hub and the secondary hub (when nva or vhub is selected) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), or(equals(parameters('enableHubSecondary'), 'nva'), equals(parameters('enableHubSecondary'), 'vhub')), equals(parameters('enableSecondaryRegion'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('esLitedeploymentNames').hubPeeringDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[parameters('connectivityLocation')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLite2DeploymentName)]", + "corpConnectedMoveLzs" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').hubVnetPeering]" + }, + "parameters": { + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" }, - "gwRegionalSku": { - "value": "[parameters('gwRegionalSku')]" + "hubResourceIdSecondary": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" }, - "erRegionalOrAz": { - "value": "[parameters('erRegionalOrAz')]" + "hubLocation": { + "value": "[parameters('connectivityLocation')]" }, - "erAzSku": { - "value": "[parameters('erAzSku')]" + "hubLocationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" }, - "erRegionalSku": { - "value": "[parameters('erRegionalSku')]" - } + "hubRgName": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocation'))]" + }, + "hubRgNameSecondary": { + "value": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('connectivityLocationSecondary'))]" } } } }, - /* - Note: ES Lite only: deploys virtual hub (NVA) + /* + Note: ES Lite only: deploys route tables to forward traffic between hubs */ { - // Configuring and deploying the connectivity hub (NVA) - "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + // Creating routing from first region to second region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-05-01", - "scope": "[variables('scopes').platformManagementGroup]", - "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName]", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').vnetConnectivityRouteTableDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRg]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').hubPeeringDeploymentName)]" ], - "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').nvaConnectivityHub]" + "uri": "[variables('deploymentUris').hubVnetRouting]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "ddosPlanResourceId": { - "value": "[variables('platformResourceIds').ddosProtectionResourceId]" - }, - "enableHub": { - "value": "[parameters('enableHub')]" + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" }, - "addressPrefix": { - "value": "[parameters('addressPrefix')]" + "subnetName": { + "value": "AzureFirewallSubnet" }, - "enableVpnGw": { - "value": "[parameters('enableVpnGw')]" + "cidrRange": { + "value": "[parameters('addressPrefixSecondary')]" }, - "enableErGw": { - "value": "[parameters('enableErGw')]" + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" }, - "enableDdoS": { - "value": "[parameters('enableDdoS')]" + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" }, - "location": { + "hubLocation": { "value": "[parameters('connectivityLocation')]" - }, - "connectivitySubscriptionId": { - "value": "[parameters('singlePlatformSubscriptionId')]" - }, - "subnetMaskForGw": { - "value": "[parameters('subnetMaskForGw')]" - }, - "gwRegionalOrAz": { - "value": "[parameters('gwRegionalOrAz')]" - }, - "gwAzSku": { - "value": "[parameters('gwAzSku')]" - }, - "gwRegionalSku": { - "value": "[parameters('gwRegionalSku')]" - }, - "erRegionalOrAz": { - "value": "[parameters('erRegionalOrAz')]" - }, - "erAzSku": { - "value": "[parameters('erAzSku')]" - }, - "erRegionalSku": { - "value": "[parameters('erRegionalSku')]" } } } }, /* - Note: ES Lite only: deploys VWAN hub (Microsoft Managed) + Note: ES Lite only: deploys route tables to forward traffic between hubs */ { - // Creating the VWAN network hub (Microsoft managed) - "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + // Creating routing from second region to first region + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'vhub'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('enableAzFwSecondary'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "scope": "[variables('scopes').platformManagementGroup]", - "name": "[variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityRouteTable2DeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').connectivityRgSecondary]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLite2DeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').hubPeeringDeploymentName)]" ], - "location": "[deployment().location]", "properties": { "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').vwanConnectivityHub]" + "uri": "[variables('deploymentUris').hubVnetRouting]" }, "parameters": { "topLevelManagementGroupPrefix": { "value": "[parameters('enterpriseScaleCompanyPrefix')]" }, - "enableHub": { - "value": "[parameters('enableHub')]" + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceIdSecondary]" }, - "enableAzFw": { - "value": "[parameters('enableAzFw')]" + "subnetName": { + "value": "AzureFirewallSubnet" }, - "firewallSku": { - "value": "[parameters('firewallSku')]" + "cidrRange": { + "value": "[parameters('addressPrefix')]" }, - "firewallZones": { - "value": "[parameters('firewallZones')]" + "targetFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFw')]" }, - "addressPrefix": { - "value": "[parameters('addressPrefix')]" + "sourceFWSubnetCidr": { + "value": "[parameters('subnetMaskForAzFwSecondary')]" }, - "enableVpnGw": { - "value": "[parameters('enableVpnGw')]" + "hubLocation": { + "value": "[parameters('connectivityLocationSecondary')]" + } + } + } + }, + /* + Note: ES Lite only: deploys Data Collection Rule for VM Insights + */ + { + // Deploying Data Collection Rule for VM Insights if condition is true + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableVmInsights'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').dataCollectionRuleVmInsightsLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleVmInsights]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" }, - "enableErGw": { - "value": "[parameters('enableErGw')]" + "WorkspaceLocation": { + "value": "[deployment().location]" }, - "location": { - "value": "[parameters('connectivityLocation')]" + "userGivenDcrName": { + "value": "[variables('platformResourceNames').dataCollectionRuleVmInsights]" + } + } + } + }, + /* + Note: ES Lite only: deploys Data Collection Rule for Change Tracking + */ + { + // Deploying Data Collection Rule for Change Tracking if condition is true + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').dataCollectionRuleChangeTrackingLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleChangeTracking]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" }, - "connectivitySubscriptionId": { - "value": "[parameters('singlePlatformSubscriptionId')]" + "WorkspaceLocation": { + "value": "[deployment().location]" }, - "expressRouteScaleUnit": { - "value": "[parameters('expressRouteScaleUnit')]" + "dataCollectionRuleName": { + "value": "[variables('platformResourceNames').dataCollectionRuleChangeTracking]" + } + } + } + }, + /* + Note: ES Lite only: deploys Data Collection Rule for Defender for SQL + */ + { + // Deploying Data Collection Rule for Mdfc Defender for SQL if condition is true + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').dataCollectionRuleMdfcDefenderSQLLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').dataCollectionRuleMdfcDefenderSQL]" + }, + "parameters": { + "WorkspaceResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" }, - "vpnGateWayScaleUnit": { - "value": "[parameters('vpnGateWayScaleUnit')]" + "WorkspaceLocation": { + "value": "[deployment().location]" + }, + "userGivenDcrName": { + "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]" } } } @@ -3722,14 +8657,14 @@ } }, /* - Note: ES Lite only: assign policy to deny RDP from internet to platform MG + Note: ES Lite only: assign policy to deny management ports from internet to platform MG */ { - // Assigning deny rpd from internet policy landing zones management group if condition is true - "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + // Assigning deny management ports from internet policy landing zones management group if condition is true + "condition": "[and(equals(parameters('denyMgmtPortsForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('esLitedeploymentNames').rdpFromInternetIdentityLitePolicyDeploymentName]", + "name": "[variables('esLitedeploymentNames').mgmtFromInternetIdentityLitePolicyDeploymentName]", "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -3740,7 +8675,7 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + "uri": "[variables('deploymentUris').mgmtFromInternetPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { @@ -3754,7 +8689,7 @@ }, { "condition": "[equals(parameters('telemetryOptOut'), 'No')]", - "apiVersion": "2020-06-01", + "apiVersion": "2022-09-01", "name": "[variables('deploymentNames').pidCuaDeploymentName]", "location": "[deployment().location]", "type": "Microsoft.Resources/deployments", @@ -3768,16 +8703,105 @@ } }, { - "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableAzFw'), 'Yes'), equals(parameters('firewallSku'), 'Premium'), equals(parameters('denySubnetWithoutNsg'), 'Yes'), equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), equals(parameters('enableStorageHttps'), 'Yes'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'vwan')), or(not(empty(parameters('connectivitySubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))))]", - "apiVersion": "2020-06-01", - "name": "[variables('deploymentNames').ztnPhase1PidCuaDeploymentName]", - "subscriptionId": "[coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))]", + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').pidCuaDeploymentNameSinglePlatformSub]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), empty(parameters('singlePlatformSubscriptionId')))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').pidCuaDeploymentNameMultiPlatformSubs]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableHub'), 'No'))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').pidCuaDeploymentNameNetworkingNone]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').pidCuaDeploymentNameNetworkingHubSpoke]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableHub'), 'vwan'))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').pidCuaDeploymentNameNetworkingVirtualWan]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').ambaPortalPidCuaDeploymentName]", + "location": "[deployment().location]", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableSecondaryRegion'), 'Yes'))]", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').pidCuaDeploymentNameSecondaryRegion]", "location": "[deployment().location]", "type": "Microsoft.Resources/deployments", "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } diff --git a/eslzArm/eslzArm.terraform-sync.param.json b/eslzArm/eslzArm.terraform-sync.param.json new file mode 100644 index 0000000000..e256065722 --- /dev/null +++ b/eslzArm/eslzArm.terraform-sync.param.json @@ -0,0 +1,464 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "value": "10.100.0.0/16" + }, + "addressPrefixSecondary": { + "value": "10.200.0.0/16" + }, + "auditAppGwWaf": { + "value": "Yes" + }, + "auditPeDnsZones": { + "value": "Yes" + }, + "connectivitySubscriptionId": { + "value": "00000000-0000-0000-0000-000000000000" + }, + "delayCount": { + "value": 45 + }, + "denyAksPrivileged": { + "value": "Yes" + }, + "denyAksPrivilegedEscalation": { + "value": "Yes" + }, + "denyClassicResources": { + "value": "Yes" + }, + "denyHttpIngressForAks": { + "value": "Yes" + }, + "denyHybridNetworking": { + "value": "Yes" + }, + "denyIpForwarding": { + "value": "Yes" + }, + "denyMgmtPorts": { + "value": "Yes" + }, + "denyMgmtPortsForIdentity": { + "value": "Yes" + }, + "denyPipForIdentity": { + "value": "Yes" + }, + "denyPipOnNicForCorp": { + "value": "Yes" + }, + "denyPublicEndpoints": { + "value": "Yes" + }, + "denySubnetWithoutNsg": { + "value": "Yes" + }, + "denySubnetWithoutNsgForIdentity": { + "value": "Yes" + }, + "denyVMUnmanagedDisk": { + "value": "Yes" + }, + "emailContactAsc": { + "value": "test.user@replace.me" + }, + "enableAgentHealth": { + "value": "Yes" + }, + "enableAksPolicy": { + "value": "Yes" + }, + "enableAsc": { + "value": "Yes" + }, + "enableAscForApis": { + "value": "DeployIfNotExists" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForCosmosDbs": { + "value": "DeployIfNotExists" + }, + "enableAscForCspm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "DeployIfNotExists" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForServersVulnerabilityAssessments": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAzFw": { + "value": "No" + }, + "enableAzFwDnsProxy": { + "value": "No" + }, + "enableAzFwDnsProxySecondary": { + "value": "No" + }, + "enableAzFwSecondary": { + "value": "No" + }, + "enableChangeTracking": { + "value": "Yes" + }, + "enableDdoS": { + "value": "Yes" + }, + "enableDecommissioned": { + "value": "Yes" + }, + "enableEncryptionInTransit": { + "value": "Yes" + }, + "enableErGw": { + "value": "No" + }, + "enableErGwSecondary": { + "value": "No" + }, + "enableHub": { + "value": "vhub" + }, + "enableHubSecondary": { + "value": "vhub" + }, + "enableLogAnalytics": { + "value": "Yes" + }, + "enableLzDdoS": { + "value": "Yes" + }, + "enableMDEndpoints": { + "value": "DeployIfNotExists" + }, + "enableMonitorBaselines": { + "value": "No" + }, + "enablePrivateDnsZones": { + "value": "Yes" + }, + "enablePrivateDnsZonesSecondary": { + "value": "No" + }, + "enablePrivateDnsZonesForLzs": { + "value": "Yes" + }, + "enableSandbox": { + "value": "Yes" + }, + "enableSecondaryRegion": { + "value": "Yes" + }, + "enableSecuritySolution": { + "value": "Yes" + }, + "enableSqlAdvancedThreatProtection": { + "value": "Yes" + }, + "enableSqlAssessment": { + "value": "Yes" + }, + "enableSqlAudit": { + "value": "Yes" + }, + "enableSqlEncryption": { + "value": "Yes" + }, + "enableSqlThreat": { + "value": "Yes" + }, + "enableSqlVulnerabilityAssessment": { + "value": "Yes" + }, + "enableStorageHttps": { + "value": "Yes" + }, + "enableUpdateMgmt": { + "value": "Yes" + }, + "enableVmBackup": { + "value": "Yes" + }, + "enableVmBackupForIdentity": { + "value": "Yes" + }, + "enableVmHybridMonitoring": { + "value": "Yes" + }, + "enableVmInsights": { + "value": "Yes" + }, + "enableVmMonitoring": { + "value": "Yes" + }, + "enableVmssMonitoring": { + "value": "Yes" + }, + "enableVpnActiveActive": { + "value": "No" + }, + "enableVpnActiveActiveSecondary": { + "value": "No" + }, + "enableVpnGw": { + "value": "No" + }, + "enableVpnGwSecondary": { + "value": "No" + }, + "enablevWANRoutingIntent": { + "value": "No" + }, + "enablevWANRoutingIntentSecondary": { + "value": "No" + }, + "enableWsAPIMInitiatives": { + "value": "No" + }, + "enableWsAppServicesInitiatives": { + "value": "No" + }, + "enableWsAutomationInitiatives": { + "value": "No" + }, + "enableWsCMKInitiatives": { + "value": "No" + }, + "enableWsCognitiveServicesInitiatives": { + "value": "No" + }, + "enableWsComputeInitiatives": { + "value": "No" + }, + "enableWsContainerAppsInitiatives": { + "value": "No" + }, + "enableWsContainerInstanceInitiatives": { + "value": "No" + }, + "enableWsContainerRegistryInitiatives": { + "value": "No" + }, + "enableWsCosmosDbInitiatives": { + "value": "No" + }, + "enableWsDataExplorerInitiatives": { + "value": "No" + }, + "enableWsDataFactoryInitiatives": { + "value": "No" + }, + "enableWsEventGridInitiatives": { + "value": "No" + }, + "enableWsEventHubInitiatives": { + "value": "No" + }, + "enableWsKeyVaultSupInitiatives": { + "value": "No" + }, + "enableWsKubernetesInitiatives": { + "value": "No" + }, + "enableWsMachineLearningInitiatives": { + "value": "No" + }, + "enableWsMySQLInitiatives": { + "value": "No" + }, + "enableWsNetworkInitiatives": { + "value": "No" + }, + "enableWsOpenAIInitiatives": { + "value": "No" + }, + "enableWsPostgreSQLInitiatives": { + "value": "No" + }, + "enableWsServiceBusInitiatives": { + "value": "No" + }, + "enableWsSQLInitiatives": { + "value": "No" + }, + "enableWsStorageInitiatives": { + "value": "No" + }, + "enableWsSynapseInitiatives": { + "value": "No" + }, + "enableWsVirtualDesktopInitiatives": { + "value": "No" + }, + "enforceAcsb": { + "value": "Yes" + }, + "enforceBackup": { + "value": "Yes" + }, + "enforceBackupPlat": { + "value": "Yes" + }, + "enforceKvGuardrails": { + "value": "Yes" + }, + "enforceKvGuardrailsPlat": { + "value": "Yes" + }, + "enterpriseScaleCompanyPrefix": { + "value": "defaults" + }, + "erAzSku": { + "value": "" + }, + "erAzSkuSecondary": { + "value": "" + }, + "erRegionalOrAz": { + "value": "" + }, + "erRegionalOrAzSecondary": { + "value": "" + }, + "erRegionalSku": { + "value": "" + }, + "erRegionalSkuSecondary": { + "value": "" + }, + "expressRouteScaleUnit": { + "value": "1" + }, + "expressRouteScaleUnitSecondary": { + "value": "1" + }, + "firewallSku": { + "value": "Standard" + }, + "firewallSkuSecondary": { + "value": "Standard" + }, + "firewallZones": { + "value": [] + }, + "firewallZonesSecondary": { + "value": [] + }, + "gwAzSku": { + "value": "" + }, + "gwAzSkuSecondary": { + "value": "" + }, + "gwRegionalOrAz": { + "value": "" + }, + "gwRegionalOrAzSecondary": { + "value": "" + }, + "gwRegionalSku": { + "value": "" + }, + "gwRegionalSkuSecondary": { + "value": "" + }, + "identityAddressPrefix": { + "value": "10.110.0.0/24" + }, + "identityAddressPrefixSecondary": { + "value": "10.210.0.0/24" + }, + "identitySubscriptionId": { + "value": "00000000-0000-0000-0000-000000000000" + }, + "internetTrafficRoutingPolicy": { + "value": false + }, + "internetTrafficRoutingPolicySecondary": { + "value": false + }, + "listOfResourceTypesDisallowedForDeletion": { + "value": [ + "microsoft.managedidentity/userassignedidentities" + ] + }, + "managementSubscriptionId": { + "value": "00000000-0000-0000-0000-000000000000" + }, + "monitorAlertsResourceGroup": { + "value": "" + }, + "retentionInDays": { + "value": "30" + }, + "subnetMaskForAzFw": { + "value": "" + }, + "subnetMaskForAzFwMgmt": { + "value": "" + }, + "subnetMaskForAzFwMgmtSecondary": { + "value": "" + }, + "subnetMaskForAzFwSecondary": { + "value": "" + }, + "subnetMaskForGw": { + "value": "" + }, + "subnetMaskForGwSecondary": { + "value": "" + }, + "telemetryOptOut": { + "value": "Yes" + }, + "vpnGateWayScaleUnit": { + "value": "1" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "1" + }, + "vWANHubCapacity": { + "value": "2" + }, + "vWANHubCapacitySecondary": { + "value": "2" + }, + "vWANHubRoutingPreference": { + "value": "ExpressRoute" + }, + "vWANHubRoutingPreferenceSecondary": { + "value": "ExpressRoute" + } + } +} \ No newline at end of file diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json index 8b0f4eff2e..cea587aa41 100644 --- a/eslzArm/eslzArm.test.param.json +++ b/eslzArm/eslzArm.test.param.json @@ -11,32 +11,29 @@ "enableLogAnalytics": { "value": "Yes" }, - "retentionInDays": { - "value": "30" - }, - "enableAgentHealth": { + "enableMonitorBaselines": { "value": "Yes" }, - "enableChangeTracking": { + "enableMonitorConnectivity": { "value": "Yes" }, - "enableUpdateMgmt": { + "enableMonitorIdentity": { "value": "Yes" }, - "enableVmInsights": { + "enableMonitorManagement": { "value": "Yes" }, - "enableServiceMap": { + "enableMonitorLandingZones": { "value": "Yes" }, - "enableSqlAssessment": { - "value": "Yes" + "monitorAlertsResourceGroup": { + "value": "rg-amba-monitoring-001" }, - "enableSqlVulnerabilityAssessment": { - "value": "Yes" + "emailContactActionGroup": { + "value": "test.user@replace.me" }, - "enableSqlAdvancedThreatProtection": { - "value": "Yes" + "retentionInDays": { + "value": "30" }, "enableAsc": { "value": "Yes" @@ -47,6 +44,9 @@ "enableAscForServers": { "value": "DeployIfNotExists" }, + "enableAscForServersVulnerabilityAssessments": { + "value": "DeployIfNotExists" + }, "enableAscForOssDb": { "value": "DeployIfNotExists" }, @@ -71,35 +71,17 @@ "enableAscForArm": { "value": "DeployIfNotExists" }, - "enableAscForDns": { + "enableAscForApis": { "value": "DeployIfNotExists" }, - "enableAscForContainers": { + "enableAscForCspm": { "value": "DeployIfNotExists" }, - "enableSecuritySolution": { - "value": "Yes" - }, - "enableAzOps": { - "value": "No" - }, - "gitHubUserNameOrOrg": { - "value": "" - }, - "repositoryName": { - "value": "" - }, - "paToken": { - "value": "" - }, - "principalId": { - "value": [] - }, - "principalSecret": { - "value": "" + "enableAscForContainers": { + "value": "DeployIfNotExists" }, - "appId": { - "value": "" + "enableMDEndpoints": { + "value": "DeployIfNotExists" }, "addressPrefix": { "value": "10.100.0.0/16" @@ -113,6 +95,9 @@ "enableVpnGw": { "value": "No" }, + "enableVpnActiveActive": { + "value": "Yes" + }, "gwRegionalOrAz": { "value": "" }, @@ -161,7 +146,67 @@ "subnetMaskForAzFw": { "value": "" }, - "denyRdpForIdentity": { + "addressPrefixSecondary": { + "value": "10.200.0.0/16" + }, + "enablePrivateDnsZonesSecondary": { + "value": "Yes" + }, + "enableVpnGwSecondary": { + "value": "No" + }, + "enableVpnActiveActiveSecondary": { + "value": "Yes" + }, + "gwRegionalOrAzSecondary": { + "value": "" + }, + "gwRegionalSkuSecondary": { + "value": "" + }, + "gwAzSkuSecondary": { + "value": "" + }, + "vpnGateWayScaleUnitSecondary": { + "value": "1" + }, + "subnetMaskForGwSecondary": { + "value": "" + }, + "enableErGwSecondary": { + "value": "No" + }, + "erAzSkuSecondary": { + "value": "" + }, + "erRegionalSkuSecondary": { + "value": "" + }, + "erRegionalOrAzSecondary": { + "value": "" + }, + "expressRouteScaleUnitSecondary": { + "value": "1" + }, + "enableHubSecondary": { + "value": "vhub" + }, + "enableAzFwSecondary": { + "value": "No" + }, + "enableAzFwDnsProxySecondary": { + "value": "No" + }, + "firewallSkuSecondary": { + "value": "Standard" + }, + "firewallZonesSecondary": { + "value": [] + }, + "subnetMaskForAzFwSecondary": { + "value": "" + }, + "denyMgmtPortsForIdentity": { "value": "Yes" }, "denySubnetWithoutNsgForIdentity": { @@ -170,12 +215,18 @@ "denyPipForIdentity": { "value": "Yes" }, + "denyPipOnNicForCorp": { + "value": "Yes" + }, "enableVmBackupForIdentity": { "value": "Yes" }, "identityAddressPrefix": { "value": "10.110.0.0/24" }, + "identityAddressPrefixSecondary": { + "value": "10.210.0.0/24" + }, "enableLzDdoS": { "value": "No" }, @@ -194,9 +245,6 @@ "enableVmssMonitoring": { "value": "Yes" }, - "enableAksPolicy": { - "value": "Yes" - }, "denyAksPrivileged": { "value": "Yes" }, @@ -206,25 +254,22 @@ "denyHttpIngressForAks": { "value": "Yes" }, - "denyDatabricksPip": { - "value": "Yes" - }, - "denyDatabricksVnet": { + "enableVmBackup": { "value": "Yes" }, - "denyDatabricksSku": { + "denyMgmtPorts": { "value": "Yes" }, - "enableVmBackup": { + "denySubnetWithoutNsg": { "value": "Yes" }, - "denyRdp": { + "denyIpForwarding": { "value": "Yes" }, - "denySubnetWithoutNsg": { + "denyClassicResources": { "value": "Yes" }, - "denyIpForwarding": { + "denyVMUnmanagedDisk": { "value": "Yes" }, "enableSqlEncryption": { @@ -233,11 +278,32 @@ "enableSqlAudit": { "value": "Yes" }, + "enableDecommissioned": { + "value": "Yes" + }, + "enableSandbox": { + "value": "Yes" + }, "enableStorageHttps": { "value": "Yes" }, + "enforceKvGuardrails": { + "value": "Yes" + }, + "enforceBackup": { + "value": "Yes" + }, + "denyHybridNetworking": { + "value": "Yes" + }, + "auditPeDnsZones": { + "value": "Yes" + }, + "enforceAcsb": { + "value": "Yes" + }, "delayCount": { - "value": 30 + "value": 35 } } } \ No newline at end of file diff --git a/eslzArm/fairfaxeslz-portal.json b/eslzArm/fairfaxeslz-portal.json index 32b146ccdf..2212793b38 100644 --- a/eslzArm/fairfaxeslz-portal.json +++ b/eslzArm/fairfaxeslz-portal.json @@ -108,6 +108,30 @@ } ], "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]" + }, + { + "name": "denyClassicResources", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent the deployment of classic resources", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent deployment of classic resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "Audit only", + "value": "Audit" + }, + { + "label": "No", + "value": "No" + } + ] + } } ] }, @@ -289,26 +313,6 @@ }, "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" }, - { - "name": "esServiceMap", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy Service Map solution", - "defaultValue": "Yes (recommended)", - "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ] - }, - "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" - }, { "name": "esSqlAssessment", "type": "Microsoft.Common.OptionsGroup", @@ -556,162 +560,6 @@ } ] }, - { - "name": "lzDevOps", - "label": "Platform DevOps and automation", - "subLabel": {}, - "bladeTitle": "lz Dev Ops", - "elements": [ - { - "name": "info", - "type": "Microsoft.Common.InfoBox", - "visible": "[or(not(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub)), not(empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]", - "options": { - "text": "Azure Landing Zones provides an integrated CICD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines.", - "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", - "style": "Info" - } - }, - { - "name": "correction", - "type": "Microsoft.Common.InfoBox", - "visible": "[and(equals(steps('esGoalState').esLogAnalytics, 'No'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]", - "options": { - "text": "Azure Landing Zones provides an integrated CICD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines, but requires a dedicated subscription for platform management in the previous step. Please add a subscription or continue without setting up the CICD integration.", - "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", - "style": "Warning" - } - }, - { - "name": "cicdOption", - "type": "Microsoft.Common.OptionsGroup", - "label": "Deploy integrated CICD pipeline?", - "defaultValue": "Yes (recommended)", - "toolTip": "", - "constraints": { - "allowedValues": [ - { - "label": "Yes (recommended)", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ], - "required": true - }, - "visible": "[or(not(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub)), not(empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]" - }, - { - "name": "Instructions", - "type": "Microsoft.Common.TextBlock", - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", - "options": { - "text": "Provide the credentials to initialize the repository with the ARM templates for Azure Landing Zones.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" - } - } - }, - { - "name": "optionsGroup1", - "type": "Microsoft.Common.OptionsGroup", - "label": "Select CICD option", - "defaultValue": "GitHub Actions", - "toolTip": "Azure Landing Zones will provide options for both GitHub Actions and Azure DevOps pipelines. For now, only GitHub Actions is available", - "constraints": { - "allowedValues": [ - { - "label": "GitHub Actions", - "value": "actions" - } - ], - "required": true - }, - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" - }, - { - "name": "esGit", - "type": "Microsoft.Common.TextBox", - "label": "GitHub organization or username", - "toolTip": "Provide Git org/username.", - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", - "defaultValue": "", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z-]{1,39}$", - "validationMessage": "The GitHub org/username must be 1-39 characters." - } - }, - { - "name": "esGitRepoName", - "type": "Microsoft.Common.TextBox", - "label": "New GitHub repository name", - "toolTip": "Provide a name for the new repository that will be created", - "defaultValue": "", - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", - "placeholder": "", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z-]{1,100}$", - "validationMessage": "The repository name must be 1-100 characters." - } - }, - { - "name": "esPaToken", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "GitHub personal access token", - "confirmPassword": "Confirm PA Token" - }, - "toolTip": "Provide the personal access token to access your GitHub account or organization. For more information see this link: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token", - "constraints": { - "required": true, - "validationMessage": "Password must be at least 8 characters long, contain only numbers and letters" - }, - "options": { - "hideConfirmation": true - }, - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" - }, - { - "name": "spnSection", - "type": "Microsoft.Common.Section", - "label": "", - "elements": [ - { - "name": "esServicePrincipal", - "type": "Microsoft.Common.ServicePrincipalSelector", - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", - "label": { - "password": "Password", - "certificateThumbprint": "Certificate thumbprint", - "authenticationType": "Authentication Type", - "sectionHeader": "Service Principal" - }, - "toolTip": { - "password": "Provide the application secret as it will be used to authenticate with Azure AD", - "certificateThumbprint": "Certificate thumbprint", - "authenticationType": "Authentication Type" - }, - "defaultValue": { - "principalId": "", - "name": "" - }, - "constraints": { - "required": true - }, - "options": { - "hideCertificate": true - } - } - ], - "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" - } - ] - }, { "name": "esConnectivityGoalState", "label": "Network topology and connectivity", @@ -910,7 +758,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy zone redundant or regional VPN Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -934,7 +782,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation)))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -970,7 +818,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -1006,7 +854,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation))]", "toolTip": "Select the required SKU for the VPN gateway.", "constraints": { "allowedValues": [ @@ -1207,7 +1055,7 @@ "type": "Microsoft.Common.OptionsGroup", "label": "Deploy zone redundant or regional ExpressRoute Gateway", "defaultValue": "Zone redundant (recommended)", - "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'),contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation))]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -1231,7 +1079,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -1262,7 +1110,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -1293,7 +1141,7 @@ "selectAll": false, "filter": false, "multiLine": true, - "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)))]", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation)))]", "toolTip": "Select the required SKU for the Express Route gateway.", "constraints": { "allowedValues": [ @@ -1455,7 +1303,7 @@ "multiselect": true, "selectAll": true, "filter": true, - "visible": "[if(or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan')), and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", + "visible": "[if(or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan')), and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'), contains(split('canadacentral,centralus,eastus,eastus2,southcentralus,westus2,francecentral,germanywestcentral,northeurope,westeurope,uksouth,southafricanorth,japaneast,southeastasia,australiaeast,italynorth', ','), steps('esConnectivityGoalState').esNwLocation)), false)]", "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", "constraints": { "allowedValues": [ @@ -2338,7 +2186,6 @@ "enableChangeTracking": "[steps('esGoalState').esChangeTracking]", "enableUpdateMgmt": "[steps('esGoalState').esUpdateMgmt]", "enableVmInsights": "[steps('esGoalState').esVmInsights]", - "enableServiceMap": "[steps('esGoalState').esServiceMap]", "enableSqlAssessment": "[steps('esGoalState').esSqlAssessment]", "enableSqlVulnerabilityAssessment": "[steps('esGoalState').esSqlVulnerabilityAssessment]", "enableSqlAdvancedThreatProtection": "[steps('esGoalState').esSqlAdvancedThreatProtection]", @@ -2366,14 +2213,6 @@ "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "firewallSku": "[steps('esConnectivityGoalState').esAzFwSku]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", - "paToken": "[steps('lzDevOps').esPaToken]", - "principalId": "[steps('lzDevOps').spnSection.esServicePrincipal.objectId]", - "principalSecret": "[steps('lzDevOps').spnSection.esServicePrincipal.password]", - "gitHubUserNameOrOrg": "[steps('lzDevOps').esGit]", - "appId": "[steps('lzDevOps').spnSection.esServicePrincipal.appId]", - "enableAzOps": "[steps('lzDevOps').cicdOption]", - "subscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", - "repositoryName": "[steps('lzDevOps').esGitRepoName]", "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", @@ -2381,6 +2220,7 @@ "erAzSku": "[steps('esConnectivityGoalState').esErAzSku]", "erRegionalSku": "[if(empty(steps('esConnectivityGoalState').esErRegionalSku), steps('esConnectivityGoalState').esErNoAzSku, steps('esConnectivityGoalState').esErRegionalSku)]", "singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]", + "denyClassicResources": "[steps('lzSettings').denyClassicResources]", "expressRouteScaleUnit": "[steps('esConnectivityGoalState').esVwanErScaleUnits]", "vpnGateWayScaleUnit": "[steps('esConnectivityGoalState').esVwanGwScaleUnits]", "enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]", diff --git a/eslzArm/managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json b/eslzArm/managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json new file mode 100644 index 0000000000..fbec0e2435 --- /dev/null +++ b/eslzArm/managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the central Log Analytics workspace." + } + } + }, + "variables": { + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "toLa", + "properties": { + "workspaceId": "[parameters('logAnalyticsResourceId')]", + "logs": [ + { + "category": "Administrative", + "enabled": true + }, + { + "category": "Policy", + "enabled": true + } + ] + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json new file mode 100644 index 0000000000..5186b3e49b --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyEffect": { + "type": "string", + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" + }, + "policyAssignmentNames": { + "auditWAF": "Audit-AppGW-WAF", + "description": "Assign the WAF should be enabled for Application Gateway audit policy.", + "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway" + }, + "nonComplianceMessage": { + "message": "Web Application Firewall (WAF) {enforcementMode} be enabled for Application Gateway.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').auditWAF]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').auditWAF]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "effect": { + "value": "[parameters('policyEffect')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json new file mode 100644 index 0000000000..dde016064b --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json @@ -0,0 +1,148 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "policyEffect": { + "type": "string", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "privateLinkDnsZones": { + "type": "array", + "metadata": { + "displayName": "Private Link Private DNS Zones", + "description": "An array of Private Link Private DNS Zones to check for the existence of in the assigned scope." + }, + "defaultValue": [ + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + } + }, + "variables": { + "policyDefinitions": { + "auditPeDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones')]" + }, + "policyAssignmentNames": { + "auditPeDnsZones": "Audit-PeDnsZones", + "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.", + "displayName": "Audit Private Link Private DNS Zone resources" + }, + "nonComplianceMessage": { + "message": "Private Link Private DNS Zone resources {enforcementMode} be deployed in the Corp landing zone.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').auditPeDnsZones]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').auditPeDnsZones]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "privateLinkDnsZones": { + "value": "[parameters('privateLinkDnsZones')]" + }, + "effect": { + "value": "[parameters('policyEffect')]" + } + } + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json similarity index 50% rename from eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json rename to eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json index 8571dd4ac2..283cf25ac6 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json @@ -2,12 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." - } - }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -15,32 +9,43 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { "policyDefinitions": { - "denyDatabricksPip": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp')]" - }, + "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" + }, "policyAssignmentNames": { - "denyDatabricksPip": "Deny-DataB-Pip", - "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", - "displayName": "Prevent usage of Databricks with public IP" + "auditRGL": "Audit-ResourceRGLocation", + "description": "Resource Group and Resource locations should match.", + "displayName": "Resource Group and Resource locations should match" + }, + "nonComplianceMessage": { + "message": "Resources {enforcementMode} be deployed in the same region as the Resource Group.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyDatabricksPip]", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').auditRGL]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyDatabricksPip]", + "policyDefinitionId": "[variables('policyDefinitions').auditRGL]", "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" } + ], + "parameters": { } } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json new file mode 100644 index 0000000000..82338d02da --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json @@ -0,0 +1,72 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "effect": { + "type": "string", + "allowedValues": [ + "Disabled", + "Audit" + ], + "defaultValue": "Audit" + } + }, + "variables": { + "policyDefinitions": { + "auditTrustedLaunch": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch')]" + }, + "policyAssignmentNames": { + "trustedLaunch": "Audit-TrustedLaunch", + "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", + "displayName": "Audit virtual machines for Trusted Launch support" + }, + "nonComplianceMessage": { + "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').trustedLaunch]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').auditTrustedLaunch]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "effect": { + "value": "[parameters('effect')]" + } + } + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json new file mode 100644 index 0000000000..98b49a5a33 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json @@ -0,0 +1,94 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "effectDisks": { + "type": "string", + "allowedValues": [ + "Disabled", + "Audit" + ], + "defaultValue": "Audit" + }, + "effectPublicIpAddresses": { + "type": "string", + "allowedValues": [ + "Disabled", + "Audit" + ], + "defaultValue": "Audit" + }, + "effectServerFarms": { + "type": "string", + "allowedValues": [ + "Disabled", + "Audit" + ], + "defaultValue": "Audit" + } + }, + "variables": { + "policyDefinitions": { + "auditCostOptimization": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization')]" + }, + "policyAssignmentNames": { + "costOptimization": "Audit-UnusedResources", + "description": "This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost.", + "displayName": "Unused resources driving cost should be avoided" + }, + "nonComplianceMessage": { + "message": "Unused resources driving cost {enforcementMode} be avoided.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').costOptimization]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').auditCostOptimization]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "EffectDisks": { + "value": "[parameters('effectDisks')]" + }, + "EffectPublicIpAddresses": { + "value": "[parameters('effectPublicIpAddresses')]" + }, + "EffectServerFarms": { + "value": "[parameters('effectServerFarms')]" + } + } + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json new file mode 100644 index 0000000000..97bb4e0644 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "effect": { + "type": "string", + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "allow": { + "type": "string", + "allowedValues": [ + "Both", + "Redundant", + "Aligned" + ], + "defaultValue": "Both" + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5" + }, + "policyAssignmentNames": { + "auditZR": "Audit-ZoneResiliency", + "description": "Resources should be Zone Resilient.", + "displayName": "Resources should be Zone Resilient" + }, + "nonComplianceMessage": { + "message": "Resources {enforcementMode} be Zone Resilient.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').auditZR]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').auditZR]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "allow": { + "value": "[parameters('allow')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json index f3e13e0782..5df1fa7f16 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json @@ -24,7 +24,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]", "properties": { "description": "[variables('policyAssignmentNames').description]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json index 033f6bdcf7..3f4fde274d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json @@ -24,7 +24,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denyAksPriv]", "properties": { "description": "[variables('policyAssignmentNames').description]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json index 90d9ea4039..dedf8bf2ce 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json @@ -24,7 +24,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denyHttpIngressAks]", "properties": { "description": "[variables('policyAssignmentNames').description]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json new file mode 100644 index 0000000000..63325713d8 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json @@ -0,0 +1,126 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyEffect": { + "type": "string", + "allowedValues": [ + "Deny", + "Audit" + ], + "defaultValue": "Deny" + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + }, + "policyAssignmentNames": { + "denyClassicResources": "Deny-Classic-Resources", + "description": "Denies deployment of classic resource types under the assigned scope.", + "displayName": "Deny the deployment of classic resources" + }, + "nonComplianceMessage": { + "message": "Classic resources {enforcementMode} not be deployed.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyClassicResources]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyClassicResources]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.ClassicCompute/capabilities", + "Microsoft.ClassicCompute/checkDomainNameAvailability", + "Microsoft.ClassicCompute/domainNames", + "Microsoft.ClassicCompute/domainNames/capabilities", + "Microsoft.ClassicCompute/domainNames/internalLoadBalancers", + "Microsoft.ClassicCompute/domainNames/serviceCertificates", + "Microsoft.ClassicCompute/domainNames/slots", + "Microsoft.ClassicCompute/domainNames/slots/roles", + "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions", + "Microsoft.ClassicCompute/domainNames/slots/roles/metrics", + "Microsoft.ClassicCompute/moveSubscriptionResources", + "Microsoft.ClassicCompute/operatingSystemFamilies", + "Microsoft.ClassicCompute/operatingSystems", + "Microsoft.ClassicCompute/operations", + "Microsoft.ClassicCompute/operationStatuses", + "Microsoft.ClassicCompute/quotas", + "Microsoft.ClassicCompute/resourceTypes", + "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability", + "Microsoft.ClassicCompute/virtualMachines", + "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings", + "Microsoft.ClassicCompute/virtualMachines/metricDefinitions", + "Microsoft.ClassicCompute/virtualMachines/metrics", + "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources", + "Microsoft.ClassicNetwork/capabilities", + "Microsoft.ClassicNetwork/expressRouteCrossConnections", + "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings", + "Microsoft.ClassicNetwork/gatewaySupportedDevices", + "Microsoft.ClassicNetwork/networkSecurityGroups", + "Microsoft.ClassicNetwork/operations", + "Microsoft.ClassicNetwork/quotas", + "Microsoft.ClassicNetwork/reservedIps", + "Microsoft.ClassicNetwork/virtualNetworks", + "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies", + "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings", + "Microsoft.ClassicStorage/capabilities", + "Microsoft.ClassicStorage/checkStorageAccountAvailability", + "Microsoft.ClassicStorage/disks", + "Microsoft.ClassicStorage/images", + "Microsoft.ClassicStorage/operations", + "Microsoft.ClassicStorage/osImages", + "Microsoft.ClassicStorage/osPlatformImages", + "Microsoft.ClassicStorage/publicImages", + "Microsoft.ClassicStorage/quotas", + "Microsoft.ClassicStorage/storageAccounts", + "Microsoft.ClassicStorage/storageAccounts/blobServices", + "Microsoft.ClassicStorage/storageAccounts/fileServices", + "Microsoft.ClassicStorage/storageAccounts/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/metrics", + "Microsoft.ClassicStorage/storageAccounts/queueServices", + "Microsoft.ClassicStorage/storageAccounts/services", + "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings", + "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/services/metrics", + "Microsoft.ClassicStorage/storageAccounts/tableServices", + "Microsoft.ClassicStorage/storageAccounts/vmImages", + "Microsoft.ClassicStorage/vmImages", + "Microsoft.ClassicSubscription/operations" + ] + }, + "effect": { + "value": "[parameters('policyEffect')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json index bb36ca473f..717b54509a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json @@ -15,17 +15,26 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { "policyDefinitions": { - "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit')]" + "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509')]" }, "policyAssignmentNames": { - "deployEncryptionInTransit": "Enforce-TLS-SSL", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "deployEncryptionInTransit": "Enforce-TLS-SSL-H224", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" }, + "nonComplianceMessage": { + "message": "TLS and SSL {enforcementMode} be enabled for on resources without encryption in transit.", + "Default": "must", + "DoNotEnforce": "should" + }, "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "roleAssignmentNames": { "deployEncryptionInTransit": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').deployEncryptionInTransit))]" @@ -34,7 +43,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployEncryptionInTransit]", "location": "[deployment().location]", "identity": { @@ -45,6 +54,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployEncryptionInTransit]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": {} } }, diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json deleted file mode 100644 index f89ae9e2c7..0000000000 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyDatabricksSku": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku')]" - }, - "policyAssignmentNames": { - "denyDatabricksSku": "Deny-DataB-Sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "displayName": "Enforces the use of Premium Databricks workspaces" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyDatabricksSku]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyDatabricksSku]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksVnetPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksVnetPolicyAssignment.json deleted file mode 100644 index c39cc41c23..0000000000 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksVnetPolicyAssignment.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." - } - }, - "enforcementMode": { - "type": "string", - "allowedValues": [ - "Default", - "DoNotEnforce" - ], - "defaultValue": "Default" - } - }, - "variables": { - "policyDefinitions": { - "denyDatabricksVnet": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork')]" - }, - "policyAssignmentNames": { - "denyDatabricksVnet": "Deny-DataB-Vnet", - "description": "Enforces the use of vnet injection for Databricks workspaces.", - "displayName": "Enforces the use of vnet injection for Databricks" - } - }, - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyDatabricksVnet]", - "properties": { - "description": "[variables('policyAssignmentNames').description]", - "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyDatabricksVnet]", - "enforcementMode": "[parameters('enforcementMode')]", - "parameters": { - "effect": { - "value": "Deny" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json new file mode 100644 index 0000000000..e695b06b39 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyEffect": { + "type": "string", + "allowedValues": [ + "Deny", + "Audit" + ], + "defaultValue": "Deny" + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + }, + "policyAssignmentNames": { + "denyHybridNetworking": "Deny-HybridNetworking", + "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.", + "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources" + }, + "nonComplianceMessage": { + "message": "vWAN/ER/VPN gateway resources {enforcementMode} not be deployed in the Corp landing zone.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyHybridNetworking]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyHybridNetworking]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "microsoft.network/expressroutecircuits", + "microsoft.network/expressroutegateways", + "microsoft.network/expressrouteports", + "microsoft.network/virtualwans", + "microsoft.network/virtualhubs", + "microsoft.network/vpngateways", + "microsoft.network/p2svpngateways", + "microsoft.network/vpnsites", + "microsoft.network/virtualnetworkgateways" + ] + }, + "effect": { + "value": "[parameters('policyEffect')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json index 7d0acb83be..5aed8232e2 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json @@ -9,6 +9,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -19,17 +23,27 @@ "denyIpForwarding": "Deny-IP-forwarding", "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", "displayName": "Network interfaces should disable IP forwarding" + }, + "nonComplianceMessage": { + "message": "Network interfaces {enforcementMode} disable IP forwarding.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denyIpForwarding]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-MgmtPortsFromInternetPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-MgmtPortsFromInternetPolicyAssignment.json new file mode 100644 index 0000000000..a031ef4c24 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-MgmtPortsFromInternetPolicyAssignment.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "denyMgmt": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet')]" + }, + "policyAssignmentNames": { + "denyMgmt": "Deny-MgmtPorts-Internet", + "description": "This policy denies any network security rule that allows management port access from the Internet", + "displayName": "Management port access from the Internet should be blocked" + }, + "nonComplianceMessage": { + "message": "Management port access from the Internet {enforcementMode} be blocked.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyMgmt]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyMgmt]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json index d3c4083e43..f2888167ea 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json @@ -15,6 +15,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -25,12 +29,17 @@ "denyPublicEndpoint": "Deny-Public-Endpoints", "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints" + }, + "nonComplianceMessage": { + "message": "Public network access {enforcementMode} be disabled for PaaS services.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denyPublicEndpoint]", "location": "[deployment().location]", "properties": { @@ -38,6 +47,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyPublicEndpoint]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": {} } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json new file mode 100644 index 0000000000..941292cc93 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114" + }, + "policyAssignmentNames": { + "denyPipOnNIC": "Deny-Public-IP-On-NIC", + "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", + "displayName": "Deny network interfaces having a public IP associated" + }, + "nonComplianceMessage": { + "message": "Network interfaces {enforcementMode} not have a public IP associated.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyPipOnNic]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyPipOnNic]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json index 02e22d6501..b7c17d5b5d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json @@ -9,6 +9,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -19,18 +23,28 @@ "denyPip": "Deny-Public-IP", "description": "This policy denies creation of Public IPs under the assigned scope.", "displayName": "Deny the creation of public IP" + }, + "nonComplianceMessage": { + "message": "Public IPs {enforcementMode} not be created under this scope.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denyPip]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyPip]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "listOfResourceTypesNotAllowed": { "value": [ diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json index 736cb73d89..05cda17684 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json @@ -9,6 +9,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -19,18 +23,28 @@ "storageHttps": "Deny-Storage-http", "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "displayName": "Secure transfer to storage accounts should be enabled" + }, + "nonComplianceMessage": { + "message": "Secure transfer to storage accounts {enforcementMode} be enabled.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').storageHttps]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').storageHttps]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "effect": { "value": "Deny" diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json index f507d57fdf..6efd4174d0 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json @@ -15,6 +15,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -25,18 +29,28 @@ "denySubnetWithoutNsg": "Deny-Subnet-Without-Nsg", "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", "displayName": "Subnets should have a Network Security Group" + }, + "nonComplianceMessage": { + "message": "Subnets {enforcementMode} have a Network Security Group.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').denySubnetWithoutNsg]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denySubnetWithoutNsg]", - "enforcementMode": "[parameters('enforcementMode')]" + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] } } ], diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json new file mode 100644 index 0000000000..786b5e666f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + }, + "policyAssignmentNames": { + "denyVMUnmanagedDisk": "Deny-UnmanagedDisk", + "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", + "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk" + }, + "nonComplianceMessage": { + "message": "Virtual machines and virtual machine scales sets {enforcementMode} use a managed disk.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyVMUnmanagedDisk]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyVMUnmanagedDisk]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "overrides":[ + { + "kind": "policyEffect", + "value": "Deny" + } + ] + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json new file mode 100644 index 0000000000..31875c0798 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json @@ -0,0 +1,75 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "effect": { + "type": "string", + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + }, + "resourceName": { + "type": "string", + "metadata": { + "description": "Provide the name of the resource that you want to protect from accidental deletion." + } + }, + "resourceType": { + "type": "string", + "metadata": { + "description": "Provide the resource type that you want to protect from accidental deletion." + } + } + }, + "variables": { + "policyDefinitions": { + "denyActionResourceDeletion": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources')]" + }, + "policyAssignmentNames": { + "denyActionResourceDeletion": "DenyAction-DeleteUAMIAMA", + "description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.", + "displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').denyActionResourceDeletion]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyActionResourceDeletion]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "resourceName": { + "value": "[parameters('resourceName')]" + }, + "resourceType": { + "value": "[parameters('resourceType')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json index 590df713d4..af1d1d71f9 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json @@ -9,6 +9,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -19,12 +23,17 @@ "ascMonitoring": "Deploy-ASC-Monitoring", "description": "Microsoft Cloud Security Benchmark policy initiative.", "displayName": "Microsoft Cloud Security Benchmark" + }, + "nonComplianceMessage": { + "message": "Microsoft Cloud Security Benchmark {enforcementMode} be met.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').ascMonitoring]", "location": "[deployment().location]", "identity": { @@ -35,6 +44,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": {} } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json index c630e36954..051665e46b 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -21,6 +21,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -32,15 +36,22 @@ "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace" }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "nonComplianceMessage": { + "message": "Azure Activity logs {enforcementMode} be configured to stream to specified Log Analytics workspace.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", "roleAssignmentNames": { - "deployAzureActivityLog": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog))]" + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog,'-1'))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog,'-2'))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureActivityLog]", "location": "[deployment().location]", "identity": { @@ -51,6 +62,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "logAnalytics": { "value": "[parameters('logAnalyticsResourceId')]" @@ -64,13 +80,26 @@ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAzureActivityLog]", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureActivityLog]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", "dependsOn": [ "[variables('policyAssignmentNames').azureActivityLog]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2019-09-01', 'Full' ).identity.principalId)]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json index 25467b58f2..9079653de9 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json @@ -26,15 +26,17 @@ "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters" }, - "rbac": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "rbacAksContributor": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "rbacAksPolicyAddon": "18ed5180-3e48-46fd-8541-4ea054d57064", "roleAssignmentNames": { - "deployAks": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks))]" + "roleAssignmentNameAksContributor": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks))]", + "roleAssignmentNameAksPolicyAddon": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks,'-PolicyAddon'))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployAks]", "location": "[deployment().location]", "identity": { @@ -50,13 +52,26 @@ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployAks]", + "name": "[variables('roleAssignmentNames').roleAssignmentNameAksContributor]", "dependsOn": [ "[variables('policyAssignmentNames').deployAks]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacAksContributor'))]", + "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2019-09-01', 'Full' ).identity.principalId]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').roleAssignmentNameAksPolicyAddon]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployAks]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacAksPolicyAddon'))]", "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2019-09-01', 'Full' ).identity.principalId]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json new file mode 100644 index 0000000000..d1959f0147 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "DineAtpOssDb": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e" + }, + "policyAssignmentNames": { + "DineAtpOssDb": "Deploy-MDFC-OssDb", + "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", + "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases" + }, + "nonComplianceMessage": { + "message": "Advanced Threat Protection {enforcementMode} be enabled on open-source relational databases.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployAtpOssRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').DineAtpOssDb))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').DineAtpOssDb]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').DineAtpOssDb]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": {} + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAtpOssRoles]", + "dependsOn": [ + "[variables('policyAssignmentNames').DineAtpOssDb]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').DineAtpOssDb), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json new file mode 100644 index 0000000000..34febb1340 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "DineAtpSqlDb": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97" + }, + "policyAssignmentNames": { + "DineAtpSqlDb": "Deploy-MDFC-SqlAtp", + "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", + "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances" + }, + "nonComplianceMessage": { + "message": "Azure Defender {enforcementMode} be enabled on SQL Servers and SQL Managed Instances.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacSqlSecurityManager": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "roleAssignmentNames": { + "deployAtpSqlRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').DineAtpSqlDb))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').DineAtpSqlDb]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').DineAtpSqlDb]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": {} + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAtpSqlRoles]", + "dependsOn": [ + "[variables('policyAssignmentNames').DineAtpSqlDb]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSqlSecurityManager'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').DineAtpSqlDb), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json new file mode 100644 index 0000000000..cde092b64c --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json @@ -0,0 +1,152 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "dataCollectionRuleResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the Data collection rule" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "effect": { + "type": "string", + "metadata": { + "description": "Enable or disable the policy assignment" + }, + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" + } + }, + "variables": { + "policyDefinitions": { + "vmArcChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1" + }, + "policyAssignmentNames": { + "vmArcChangeTracking": "Deploy-vmArc-ChangeTrack", + "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.", + "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines" + }, + "nonComplianceMessage": { + "message": "Change Tracking {enforcementMode} be enabled for Arc-enabled Virtual Machines.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-1',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-2',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-3',parameters('scope')))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').vmArcChangeTracking]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmArcChangeTracking]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "dcrResourceId": { + "value": "[parameters('dataCollectionRuleResourceId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmArcChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmArcChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmArcChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json new file mode 100644 index 0000000000..8c878a37f5 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json @@ -0,0 +1,227 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "dataCollectionRuleResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the Data collection rule" + } + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Provide your own user assigned managed identity to be used for the policy assignment" + } + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable this to enforce that the user assigned identity must exist in the same subscription as the virtual machine. When true, must provide User-Assigned Managed Identity Name and User-Assigned Managed Identity Resource Group Name parameters. When false, the parameter User Assigned Managed Identity Resource Id will be used instead." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId of the user assigned managed identity" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "effect": { + "type": "string", + "metadata": { + "description": "Enable or disable the policy assignment" + }, + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" + } + }, + "variables": { + "policyDefinitions": { + "vmChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354" + }, + "policyAssignmentNames": { + "vmChangeTracking": "Deploy-VM-ChangeTrack", + "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", + "displayName": "Enable ChangeTracking and Inventory for virtual machines" + }, + "nonComplianceMessage": { + "message": "Change Tracking {enforcementMode} be enabled for Virtual Machines.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,parameters('scope')))]", + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-2',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-3',parameters('scope')))]", + "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-4',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-5',parameters('scope')))]", + "roleAssignmentNamePlatformManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-6',parameters('scope')))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').vmChangeTracking]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmChangeTracking]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "dcrResourceId": { + "value": "[parameters('dataCollectionRuleResourceId')]" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNamePlatformManagedIdentityOperator]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json new file mode 100644 index 0000000000..04450021a3 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json @@ -0,0 +1,227 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "dataCollectionRuleResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the Data collection rule" + } + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Provide your own user assigned managed identity to be used for the policy assignment" + } + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable this to enforce that the user assigned identity must exist in the same subscription as the virtual machine. When true, must provide User-Assigned Managed Identity Name and User-Assigned Managed Identity Resource Group Name parameters. When false, the parameter User Assigned Managed Identity Resource Id will be used instead." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId of the user assigned managed identity" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "effect": { + "type": "string", + "metadata": { + "description": "Enable or disable the policy assignment" + }, + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" + } + }, + "variables": { + "policyDefinitions": { + "vmssChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc" + }, + "policyAssignmentNames": { + "vmssChangeTracking": "Deploy-VMSS-ChangeTrack", + "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", + "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets" + }, + "nonComplianceMessage": { + "message": "Change Tracking {enforcementMode} be enabled for Virtual Machines Scales Sets.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-1',parameters('scope')))]", + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-2',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-3',parameters('scope')))]", + "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-4',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-5',parameters('scope')))]", + "roleAssignmentNamePlatformManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-6',parameters('scope')))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').vmssChangeTracking]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmssChangeTracking]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "dcrResourceId": { + "value": "[parameters('dataCollectionRuleResourceId')]" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + }, + "effect": { + "value": "[parameters('effect')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNamePlatformManagedIdentityOperator]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssChangeTracking]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json index 7e1fe22d4f..58989a4d2e 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -14,7 +14,11 @@ "Default", "DoNotEnforce" ], - "defaultValue": "Default" + "defaultValue": "DoNotEnforce" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" }, "retentionInDays": { "type": "string", @@ -62,7 +66,12 @@ "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.", "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring" }, - "rbac": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "nonComplianceMessage": { + "message": "Log Analytics workspace and automation account {enforcementMode} be configured to centralize logs and monitoring.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", "roleAssignmentNames": { "deployLogAnalytics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').logAnalytics))]" } @@ -70,7 +79,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').loganalytics]", "location": "[deployment().location]", "identity": { @@ -81,6 +90,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployLogAnalytics]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "workspaceName": { "value": "[parameters('logAnalyticsWorkspaceName')]" @@ -112,7 +126,7 @@ ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').loganalytics), '2019-09-01', 'Full' ).identity.principalId)]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json new file mode 100644 index 0000000000..4b533d4947 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3" + }, + "policyAssignmentNames": { + "azureSecurityMDE": "Deploy-MDEndpointsAMA", + "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.", + "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud" + }, + "nonComplianceMessage": { + "message": "Microsoft Defender for Endpoint {enforcementMode} be deployed.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacSecurityAdmin": "fb1c8493-542b-48eb-b624-b4c8fea62acd", + "roleAssignmentNames": { + "deployMDEndpoints": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurityMDE))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').azureSecurityMDE]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": {} + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployMDEndpoints]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureSecurityMDE]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSecurityAdmin'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurityMDE), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json new file mode 100644 index 0000000000..7f81ce19cc --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json @@ -0,0 +1,103 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "enableMDEndpoints": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists", + "AuditIfNotExists" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "variables": { + "policyDefinitions": { + "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc" + }, + "policyAssignmentNames": { + "azureSecurityMDE": "Deploy-MDEndpoints", + "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", + "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent" + }, + "nonComplianceMessage": { + "message": "Microsoft Defender for Endpoint agent {enforcementMode} be deployed on applicable images.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployMDEndpoints": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurityMDE))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').azureSecurityMDE]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "microsoftDefenderForEndpointWindowsVmAgentDeployEffect": { + "value": "[parameters('enableMDEndpoints')]" + }, + "microsoftDefenderForEndpointLinuxVmAgentDeployEffect": { + "value": "[parameters('enableMDEndpoints')]" + }, + "microsoftDefenderForEndpointWindowsArcAgentDeployEffect": { + "value": "[parameters('enableMDEndpoints')]" + }, + "microsoftDefenderForEndpointLinuxArcAgentDeployEffect": { + "value": "[parameters('enableMDEndpoints')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployMDEndpoints]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureSecurityMDE]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurityMDE), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json index 5536f87a94..83a0490843 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json @@ -16,6 +16,10 @@ ], "defaultValue": "Default" }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, "logAnalyticsResourceId": { "type": "string", "metadata": { @@ -36,6 +40,14 @@ ], "defaultValue": "Disabled" }, + "enableAscForServersVulnerabilityAssessments": { + "type": "string", + "allowedValues": [ + "Disabled", + "DeployIfNotExists" + ], + "defaultValue": "Disabled" + }, "enableAscForSql": { "type": "string", "allowedValues": [ @@ -92,15 +104,15 @@ ], "defaultValue": "Disabled" }, - "enableAscForDns": { - "type": "string", + "enableAscForOssDb": { + "type": "string", "allowedValues": [ "Disabled", "DeployIfNotExists" ], - "defaultValue": "Disabled" + "defaultValue": "Disabled" }, - "enableAscForOssDb": { + "enableAscForCosmosDbs": { "type": "string", "allowedValues": [ "Disabled", @@ -108,7 +120,7 @@ ], "defaultValue": "Disabled" }, - "enableAscForCosmosDbs": { + "enableAscForCspm": { "type": "string", "allowedValues": [ "Disabled", @@ -119,13 +131,18 @@ }, "variables": { "policyDefinitions": { - "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config')]" + "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319')]" }, "policyAssignmentNames": { - "azureSecurity": "Deploy-MDFC-Config", + "azureSecurity": "Deploy-MDFC-Config-H224", "description": "Deploy Microsoft Defender for Cloud and Security Contacts", "displayName": "Deploy Microsoft Defender for Cloud configuration" }, + "nonComplianceMessage": { + "message": "Microsoft Defender for Cloud and Security Contacts {enforcementMode} be deployed.", + "Default": "must", + "DoNotEnforce": "should" + }, "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "roleAssignmentNames": { "deployAzureSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurity))]" @@ -134,7 +151,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').azureSecurity]", "location": "[deployment().location]", "identity": { @@ -145,6 +162,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployAzureSecurity]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "emailSecurityContact": { "value": "[parameters('emailContactAsc')]" @@ -161,6 +183,9 @@ "enableAscForServers": { "value": "[parameters('enableAscForServers')]" }, + "enableAscForServersVulnerabilityAssessments": { + "value": "[parameters('enableAscForServersVulnerabilityAssessments')]" + }, "enableAscForSql": { "value": "[parameters('enableAscForSql')]" }, @@ -182,14 +207,14 @@ "enableAscForArm": { "value": "[parameters('enableAscForArm')]" }, - "enableAscForDns": { - "value": "[parameters('enableAscForDns')]" - }, "enableAscForOssDb": { "value": "[parameters('enableAscForOssDb')]" }, "enableAscForCosmosDbs": { "value": "[parameters('enableAscForCosmosDbs')]" + }, + "enableAscForCspm": { + "value": "[parameters('enableAscForCspm')]" } } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json new file mode 100644 index 0000000000..645286c7fd --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json @@ -0,0 +1,278 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Bool", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Bool", + "metadata": { + "displayName": "Bring your own User-Assigned Managed Identity", + "description": "Enable this to use your own user-assigned managed identity. The pre-created identity MUST exist otherwise the policy deployment will fail. If enabled, ensure that the user-assigned managed identity resource ID parameter matches the pre-created user-assigned managed identity resource ID. If not enabled, the policy will create a new user-assigned managed identitiy per subscription, in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "userAssignedIdentityResourceId": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource ID", + "description": "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when bringYourOwnUserAssignedManagedIdentity is set to true." + }, + "defaultValue": "" + }, + "bringYourOwnDcr": { + "type": "Bool", + "metadata": { + "displayName": "Bring your own DCR", + "description": "Enable this to use your own Data Collection Rule. The pre-created Data Collection Rule MUST exist otherwise the policy deployment will fail. If enabled, ensure that the Data Collection Rule Resource ID parameter matches the pre-created Data Collection Rule Resource ID. If not enabled, the policy will create a new Data Collection Rule per subscription." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "dcrResourceId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource ID", + "description": "The resource ID of the user-defined Data Collection Rule. This parameter is only used when bringYourOwnDcr is set to true." + }, + "defaultValue": "" + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" + } + }, + "variables": { + "policyDefinitions": { + "deployazureDefenderSQL": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26" + }, + "policyAssignmentNames": { + "azureDefenderSQL": "Deploy-MDFC-DefSQL-AMA", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).", + "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers" + }, + "nonComplianceMessage": { + "message": "Microsoft Defender for SQL {enforcementMode} be deployed.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830", + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,parameters('scope')))]", + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-2',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-3',parameters('scope')))]", + "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-4',parameters('scope')))]", + "roleAssignmentNameContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-5',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-6',parameters('scope')))]", + "roleAssignmentNamePlatformManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-7',parameters('scope')))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').azureDefenderSQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployazureDefenderSQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "userWorkspaceResourceId": { + "value": "[parameters('userWorkspaceResourceId')]" + }, + "bringYourOwnDcr": { + "value": "[parameters('bringYourOwnDcr')]" + }, + "dcrResourceId": { + "value": "[parameters('dcrResourceId')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNamePlatformManagedIdentityOperator]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureDefenderSQL]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json index 6396394bd1..eb870bfe7b 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json @@ -16,6 +16,10 @@ ], "defaultValue": "Default" }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, "dnsZoneResourceGroupId": { "type": "string", "metadata": { @@ -30,6 +34,76 @@ } }, "variables": { + "azBackupGeoCodes": { + "australiacentral": "acl", + "australiacentral2": "acl2", + "australiaeast": "ae", + "australiasoutheast": "ase", + "brazilsouth": "brs", + "brazilsoutheast": "bse", + "centraluseuap": "ccy", + "canadacentral": "cnc", + "canadaeast": "cne", + "centralus": "cus", + "eastasia": "ea", + "eastus2euap": "ecy", + "eastus": "eus", + "eastus2": "eus2", + "francecentral": "frc", + "francesouth": "frs", + "germanynorth": "gn", + "germanywestcentral": "gwc", + "centralindia": "inc", + "southindia": "ins", + "westindia": "inw", + "italynorth": "itn", + "japaneast": "jpe", + "japanwest": "jpw", + "jioindiacentral": "jic", + "jioindiawest": "jiw", + "koreacentral": "krc", + "koreasouth": "krs", + "northcentralus": "ncus", + "northeurope": "ne", + "norwayeast": "nwe", + "norwaywest": "nww", + "qatarcentral": "qac", + "southafricanorth": "san", + "southafricawest": "saw", + "southcentralus": "scus", + "swedencentral": "sdc", + "swedensouth": "sds", + "southeastasia": "sea", + "switzerlandnorth": "szn", + "switzerlandwest": "szw", + "uaecentral": "uac", + "uaenorth": "uan", + "uksouth": "uks", + "ukwest": "ukw", + "westcentralus": "wcus", + "westeurope": "we", + "westus": "wus", + "westus2": "wus2", + "westus3": "wus3", + "usdodcentral": "udc", + "usdodeast": "ude", + "usgovarizona": "uga", + "usgoviowa": "ugi", + "usgovtexas": "ugt", + "usgovvirginia": "ugv", + "usnateast": "exe", + "usnatwest": "exw", + "usseceast": "rxe", + "ussecwest": "rxw", + "chinanorth": "bjb", + "chinanorth2": "bjb2", + "chinanorth3": "bjb3", + "chinaeast": "sha", + "chinaeast2": "sha2", + "chinaeast3": "sha3", + "germanycentral": "gec", + "germanynortheast": "gne" + }, "baseId": "[concat(parameters('dnsZoneResourceGroupId'), '/providers/Microsoft.Network/privateDnsZones/')]", "policyParameterMapping": { "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", @@ -42,6 +116,7 @@ "azureCosmosTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.cosmos.azure.com')]", "azureDataFactoryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.datafactory.azure.net')]", "azureDataFactoryPortalPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.adf.azure.com')]", + "azureDatabricksPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azuredatabricks.net')]", "azureHDInsightPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurehdinsight.net')]", "azureMigratePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.prod.migration.windowsazure.com')]", "azureStorageBlobPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", @@ -81,8 +156,23 @@ "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId" : "[concat(variables('baseId'), 'privatelink.notebooks.azure.net')]", "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", - "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]" + "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]", + "azureBotServicePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.directline.botframework.com')]", + "azureManagedGrafanaWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.grafana.azure.com')]", + "azureVirtualDesktopHostpoolPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.microsoft.com')]", + "azureVirtualDesktopWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.wvd.microsoft.com')]", + "azureIotDeviceupdatePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]", + "azureArcGuestconfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.guestconfiguration.azure.com')]", + "azureArcHybridResourceProviderPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.his.arc.azure.com')]", + "azureArcKubernetesConfigurationPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.dp.kubernetesconfiguration.azure.com')]", + "azureIotCentralPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azureiotcentral.com')]", + "azureStorageTablePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.windows.net')]", + "azureStorageTableSecondaryPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.table.core.windows.net')]", + "azureSiteRecoveryBackupPrivateDnsZoneID": "[concat(variables('baseId'), replace('privatelink.regionGeoShortCode.backup.windowsazure.com','regionGeoShortCode',variables('azBackupGeoCodes')[toLower(parameters('location'))]))]", + "azureSiteRecoveryBlobPrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureSiteRecoveryQueuePrivateDnsZoneID": "[concat(variables('baseId'), 'privatelink.queue.core.windows.net')]" }, "policyDefinitions": { "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]" @@ -92,6 +182,11 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones" }, + "nonComplianceMessage": { + "message": "Azure PaaS services {enforcementMode} use private DNS zones.", + "Default": "must", + "DoNotEnforce": "should" + }, "roleAssignmentNames": { "deployPrivateDnsZones": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployPrivateDnsZones))]" }, @@ -100,7 +195,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployPrivateDnsZones]", "location": "[deployment().location]", "identity": { @@ -111,6 +206,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployPrivateDnsZones]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "azureFilePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureFilePrivateDnsZoneId]" @@ -142,6 +242,9 @@ "azureDataFactoryPortalPrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureDataFactoryPortalPrivateDnsZoneId]" }, + "azureDatabricksPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureDatabricksPrivateDnsZoneId]" + }, "azureHDInsightPrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureHDInsightPrivateDnsZoneId]" }, @@ -220,7 +323,7 @@ "azureAsrPrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureAsrPrivateDnsZoneId]" }, - "azureIoTPrivateDnsZoneId": { + "azureIotPrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureIotPrivateDnsZoneId]" }, "azureKeyVaultPrivateDnsZoneId": { @@ -259,11 +362,56 @@ "azureMachineLearningWorkspacePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureMachineLearningWorkspacePrivateDnsZoneId]" }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureMachineLearningWorkspaceSecondPrivateDnsZoneId]" + }, "azureServiceBusNamespacePrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId]" }, "azureCognitiveSearchPrivateDnsZoneId": { "value": "[variables('policyParameterMapping').azureCognitiveSearchPrivateDnsZoneId]" + }, + "azureBotServicePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureBotServicePrivateDnsZoneId]" + }, + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureManagedGrafanaWorkspacePrivateDnsZoneId]" + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureVirtualDesktopHostpoolPrivateDnsZoneId]" + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureVirtualDesktopWorkspacePrivateDnsZoneId]" + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotDeviceupdatePrivateDnsZoneId]" + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureArcGuestconfigurationPrivateDnsZoneId]" + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureArcHybridResourceProviderPrivateDnsZoneId]" + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureArcKubernetesConfigurationPrivateDnsZoneId]" + }, + "azureIotCentralPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotCentralPrivateDnsZoneId]" + }, + "azureStorageTablePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageTablePrivateDnsZoneId]" + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureStorageTableSecondaryPrivateDnsZoneId]" + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "value": "[variables('policyParameterMapping').azureSiteRecoveryBackupPrivateDnsZoneID]" + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "value": "[variables('policyParameterMapping').azureSiteRecoveryBlobPrivateDnsZoneID]" + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "value": "[variables('policyParameterMapping').azureSiteRecoveryQueuePrivateDnsZoneID]" } } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json index 848f556c70..66eff07691 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json @@ -21,26 +21,37 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { "policyDefinitions": { - "deployResourceDiagnostics": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics')]" - }, + "deployResourceDiagnostics": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038" + }, "policyAssignmentNames": { - "resourceDiagnostics": "Deploy-Resource-Diag", - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included", - "displayName": "Deploy Diagnostic Settings to Azure Services" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployResourceRiagnostics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').resourceDiagnostics))]" - } + "resourceDiagnostics": "Deploy-Diag-Logs", + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", + "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics" + }, + "nonComplianceMessage": { + "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics.", + "Default": "must", + "DoNotEnforce": "should" }, + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').resourceDiagnostics,'-1'))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').resourceDiagnostics,'-2'))]" + } + }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').resourceDiagnostics]", "location": "[deployment().location]", "identity": { @@ -51,6 +62,11 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployResourceDiagnostics]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { "logAnalytics": { "value": "[parameters('logAnalyticsResourceId')]" @@ -61,13 +77,26 @@ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployResourceRiagnostics]", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').resourceDiagnostics]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').resourceDiagnostics), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", "dependsOn": [ "[variables('policyAssignmentNames').resourceDiagnostics]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').resourceDiagnostics), '2019-09-01', 'Full' ).identity.principalId)]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json index f1e656caa2..0f6a0e58c3 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json @@ -8,6 +8,12 @@ "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." } }, + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the central Log Analytics workspace." + } + }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -15,26 +21,35 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { "policyDefinitions": { - "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" + "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb" }, "policyAssignmentNames": { - "deploySqlAuditing": "Deploy-SQL-DB-Auditing", - "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", - "displayName": "Auditing on SQL server should be enabled" + "deploySqlAuditing": "Deploy-AzSqlDb-Auditing", + "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.", + "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace" }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deploySqlAuditing": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing))]" - } + "nonComplianceMessage": { + "message": "SQL servers {enforcementMode} have auditing enabled to Log Analytics workspace.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacSqlSecurityManager": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing,'-1'))]", + "roleAssignmentNameSqlSecurityManager": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing,'-2'))]" }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deploySqlAuditing]", "location": "[deployment().location]", "identity": { @@ -44,22 +59,50 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]", - "enforcementMode": "[parameters('enforcementMode')]" + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsResourceId')]" + } + } } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deploySqlAuditing]", + "name": "[variables('roleAssignmentNameLogAnalyticsContributor')]", "dependsOn": [ "[variables('policyAssignmentNames').deploySqlAuditing]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full' ).identity.principalId]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNameSqlSecurityManager')]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlAuditing]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSqlSecurityManager'))]", "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full' ).identity.principalId]" } } ], - "outputs": {} -} \ No newline at end of file + "outputs": { + "principalId": { + "type": "string", + "value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full').identity.principalId]" + } + } +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json index d7182cc3f2..d5ae811a94 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json @@ -15,27 +15,35 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { "policyDefinitions": { - "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5" + "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f" }, "policyAssignmentNames": { - "deploySqlEncryption": "Deploy-SQL-Threat", - "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", - "displayName": "Deploy Threat Detection on SQL servers" - + "deploySqlEncryption": "Deploy-SQL-TDE", + "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", + "displayName": "Deploy TDE on SQL servers" + }, + "nonComplianceMessage": { + "message": "TDE {enforcementMode} be deployed on SQL servers.", + "Default": "must", + "DoNotEnforce": "should" }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "rbacSqlDbContributor": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", "roleAssignmentNames": { - "deploySqlEncryption": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]" + "roleAssignmentNameSqlDbContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deploySqlEncryption]", "location": "[deployment().location]", "identity": { @@ -45,19 +53,24 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlEncryption]", - "enforcementMode": "[parameters('enforcementMode')]" + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deploySqlEncryption]", + "name": "[variables('roleAssignmentNames').roleAssignmentNameSqlDbContributor]", "dependsOn": [ "[variables('policyAssignmentNames').deploySqlEncryption]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSqlDbContributor'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlEncryption), '2019-09-01', 'Full' ).identity.principalId)]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json new file mode 100644 index 0000000000..d96cb25411 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json @@ -0,0 +1,79 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "deploySqlThreat": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5" + }, + "policyAssignmentNames": { + "deploySqlThreat": "Deploy-SQL-Threat", + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers" + }, + "nonComplianceMessage": { + "message": "Threat Detection {enforcementMode} be deployed on SQL servers.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacSQLSecMan": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "roleAssignmentNames": { + "deploySqlThreat": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlThreat))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').deploySqlThreat]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deploySqlThreat]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deploySqlThreat]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlThreat]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSQLSecMan'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlThreat), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json index 07340a0c99..e59ec5297c 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json @@ -16,6 +16,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -27,15 +31,22 @@ "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy" }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "nonComplianceMessage": { + "message": "Backup on virtual machines without a given tag {enforcementMode} be configured to a new recovery services vault with a default policy.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacBackupContributor": "5e467623-bb1f-42f4-a55d-6e525e11384b", "roleAssignmentNames": { - "deployVmBackup": "[guid(concat(parameters('toplevelManagementGroupPrefix'), 'identity', variables('policyAssignmentNames').deployVmBackup))]" + "roleAssignmentNameBackupContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployVmBackup,'-1'))]", + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployVmBackup,'-2'))]" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployVmBackup]", "location": "[deployment().location]", "identity": { @@ -46,22 +57,40 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployVmBackup]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": {} } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployVmBackup]", + "name": "[variables('roleAssignmentNames').roleAssignmentNameBackupContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployVmBackup]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacBackupContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployVmBackup), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", "dependsOn": [ "[variables('policyAssignmentNames').deployVmBackup]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployVmBackup), '2019-09-01', 'Full' ).identity.principalId)]" } - } + } ], "outputs": {} } \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json new file mode 100644 index 0000000000..500577b696 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json @@ -0,0 +1,148 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "dataCollectionRuleResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the Data collection rule" + } + }, + "enableProcessesAndDependencies": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable processes and dependencies for the VMs" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" + } + }, + "variables": { + "policyDefinitions": { + "vmHybridMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321" + }, + "policyAssignmentNames": { + "vmHybridMonitoring": "Deploy-vmHybr-Monitoring", + "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).", + "displayName": "Enable Azure Monitor for Hybrid Virtual Machines" + }, + "nonComplianceMessage": { + "message": "Azure Monitor {enforcementMode} be enabled for Hybrid Virtual Machines.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-1',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-2',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-3',parameters('scope')))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').vmHybridMonitoring]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmHybridMonitoring]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "dcrResourceId": { + "value": "[parameters('dataCollectionRuleResourceId')]" + }, + "enableProcessesAndDependencies": { + "value": "[parameters('enableProcessesAndDependencies')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmHybridMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmHybridMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmHybridMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json index a69fd99fcc..17afd3061b 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json @@ -9,10 +9,44 @@ "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." } }, - "logAnalyticsResourceId": { + "dataCollectionRuleResourceId": { "type": "string", "metadata": { - "description": "Provide the resourceId to the central Log Analytics workspace" + "description": "Provide the resourceId to the Data collection rule" + } + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Provide your own user assigned managed identity to be used for the policy assignment" + } + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable this to enforce that the user assigned identity must exist in the same subscription as the virtual machine. When true, must provide User-Assigned Managed Identity Name and User-Assigned Managed Identity Resource Group Name parameters. When false, the parameter User Assigned Managed Identity Resource Id will be used instead." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId of the user assigned managed identity" + } + }, + "enableProcessesAndDependencies": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable processes and dependencies for the VMs" + } + }, + "scopeToSupportedImages": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Scope the policy assignment to supported images" } }, "enforcementMode": { @@ -22,26 +56,59 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" } }, "variables": { "policyDefinitions": { - "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a" - }, + "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6" + }, "policyAssignmentNames": { "vmMonitoring": "Deploy-VM-Monitoring", "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", "displayName": "Enable Azure Monitor for VMs" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployVmMonitoring": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring))]" - } }, + "nonComplianceMessage": { + "message": "Azure Monitor {enforcementMode} be enabled for Virtual Machines.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,parameters('scope')))]", + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-2',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-3',parameters('scope')))]", + "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-4',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-5',parameters('scope')))]", + "roleAssignmentNamePlatformManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-6',parameters('scope')))]" + } + }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').vmMonitoring]", "location": "[deployment().location]", "identity": { @@ -52,27 +119,115 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { - "logAnalytics_1": { - "value": "[parameters('logAnalyticsResourceId')]" + "dcrResourceId": { + "value": "[parameters('dataCollectionRuleResourceId')]" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + }, + "enableProcessesAndDependencies": { + "value": "[parameters('enableProcessesAndDependencies')]" + }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" } } } }, { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployVmMonitoring]", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNamePlatformManagedIdentityOperator]", + "scope": "[parameters('platformScope')]", "dependsOn": [ "[variables('policyAssignmentNames').vmMonitoring]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" } } ], "outputs": {} } - \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json index ca0e41dbf4..d71b203284 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json @@ -9,10 +9,44 @@ "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." } }, - "logAnalyticsResourceId": { + "dataCollectionRuleResourceId": { "type": "string", "metadata": { - "description": "Provide the resourceId to the central Log Analytics workspace" + "description": "Provide the resourceId to the Data collection rule" + } + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Provide your own user assigned managed identity to be used for the policy assignment" + } + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Enable this to enforce that the user assigned identity must exist in the same subscription as the virtual machine. When true, must provide User-Assigned Managed Identity Name and User-Assigned Managed Identity Resource Group Name parameters. When false, the parameter User Assigned Managed Identity Resource Id will be used instead." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId of the user assigned managed identity" + } + }, + "enableProcessesAndDependencies": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable processes and dependencies for the VMs" + } + }, + "scopeToSupportedImages": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Scope the policy assignment to supported images" } }, "enforcementMode": { @@ -22,26 +56,59 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + }, + "platformScope": { + "type": "String", + "metadata": { + "displayName": "Platform Scope", + "description": "Scope of the reader role assignment" + }, + "defaultValue": "[parameters('scope')]" } }, "variables": { "policyDefinitions": { - "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad" - }, + "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485" + }, "policyAssignmentNames": { "vmssMonitoring": "Deploy-VMSS-Monitoring", "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets" - }, - "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleAssignmentNames": { - "deployVmssMonitoring": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring))]" - } }, + "nonComplianceMessage": { + "message": "Azure Monitor {enforcementMode} be enabled for Virtual Machines Scales Sets.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830", + "rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7", + "roleAssignmentNames": { + "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-1',parameters('scope')))]", + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-2',parameters('scope')))]", + "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-3',parameters('scope')))]", + "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-4',parameters('scope')))]", + "roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-5',parameters('scope')))]", + "roleAssignmentNamePlatformManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-6',parameters('scope')))]" + } + }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').vmssMonitoring]", "location": "[deployment().location]", "identity": { @@ -52,23 +119,112 @@ "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmssMonitoring]", "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], "parameters": { - "logAnalytics_1": { - "value": "[parameters('logAnalyticsResourceId')]" + "dcrResourceId": { + "value": "[parameters('dataCollectionRuleResourceId')]" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "restrictBringYourOwnUserAssignedIdentityToSubscription": { + "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]" + }, + "userAssignedIdentityResourceId": { + "value": "[parameters('userAssignedIdentityResourceId')]" + }, + "enableProcessesAndDependencies": { + "value": "[parameters('enableProcessesAndDependencies')]" + }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" } } } }, { "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[variables('roleAssignmentNames').deployVmssMonitoring]", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameReader]", + "scope": "[parameters('platformScope')]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[not(equals(parameters('platformScope'), parameters('scope')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNamePlatformManagedIdentityOperator]", + "scope": "[parameters('platformScope')]", "dependsOn": [ "[variables('policyAssignmentNames').vmssMonitoring]" ], "properties": { "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json new file mode 100644 index 0000000000..c43ac7f356 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json @@ -0,0 +1,96 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "listOfResourceTypesAllowed": { + "type": "Array", + "defaultValue": [ + "microsoft.consumption/tags", + "microsoft.authorization/roleassignments", + "microsoft.authorization/roledefinitions", + "microsoft.authorization/policyassignments", + "microsoft.authorization/locks", + "microsoft.authorization/policydefinitions", + "microsoft.authorization/policysetdefinitions", + "microsoft.resources/tags", + "microsoft.authorization/roleeligibilityschedules", + "microsoft.authorization/roleeligibilityscheduleinstances", + "microsoft.authorization/roleassignmentschedules", + "microsoft.authorization/roleassignmentscheduleinstances" + ] + } + }, + "variables": { + "policyDefinitions": { + "enforceAlzDecommissioned": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm')]" + }, + "policyAssignmentNames": { + "alzDecommission": "Enforce-ALZ-Decomm", + "description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Decommissioned Guardrails" + }, + "nonComplianceMessage": { + "message": "ALZ Decommissioned Guardrails {enforcementMode} be enforced.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "roleAssignmentNames": { + "deployDecommRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').alzDecommission))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').alzDecommission]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceAlzDecommissioned]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[parameters('listOfResourceTypesAllowed')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployDecommRoles]", + "dependsOn": [ + "[variables('policyAssignmentNames').alzDecommission]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').alzDecommission), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json new file mode 100644 index 0000000000..895703c491 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "listOfResourceTypesNotAllowed": { + "type": "Array", + "defaultValue": [ + "microsoft.network/expressroutecircuits", + "microsoft.network/expressroutegateways", + "microsoft.network/expressrouteports", + "microsoft.network/virtualwans", + "microsoft.network/virtualhubs", + "microsoft.network/vpngateways", + "microsoft.network/p2svpngateways", + "microsoft.network/vpnsites", + "microsoft.network/virtualnetworkgateways" + ] + } + }, + "variables": { + "policyDefinitions": { + "enforceAlzSandbox": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox')]" + }, + "policyAssignmentNames": { + "alzSandbox": "Enforce-ALZ-Sandbox", + "description": "This initiative will help enforce and govern subscriptions that are placed within the Sandbox Management Group. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Sandbox Guardrails" + }, + "nonComplianceMessage": { + "message": "ALZ Sandbox Guardrails {enforcementMode} be enforced.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').alzSandbox]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceAlzSandbox]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": "[parameters('listOfResourceTypesNotAllowed')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-AcsbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-AcsbPolicyAssignment.json new file mode 100644 index 0000000000..4bc91dc750 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-AcsbPolicyAssignment.json @@ -0,0 +1,79 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "enforceAcsb": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB')]" + }, + "policyAssignmentNames": { + "enforceAcsb": "Enforce-ACSB", + "description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.", + "displayName": "Enforce Azure Compute Security Baseline compliance auditing" + }, + "nonComplianceMessage": { + "message": "Azure Compute Security Baseline compliance auditing {enforcementMode} be enforced.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').enforceAcsb))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceAcsb]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceAcsb]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[variables('policyAssignmentNames').enforceAcsb]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceAcsb), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json new file mode 100644 index 0000000000..ac77101473 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-BackupPolicyAssignment.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Backup')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsBackup": "Enforce-ASR", + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services.", + "displayName": "Enforce enhanced recovery and backup policies" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Azure Recovery Services (Backup and Site Recovery).", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsBackup]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsBackup]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json new file mode 100644 index 0000000000..df50ebb27f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-EncryptionCMKPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCMK": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCMK": "[concat('Enforce-Encrypt-CMK', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Customer Managed Keys.", + "displayName": "Enforce recommended guardrails for Customer Managed Keys" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Customer Managed Keys.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCMK))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCMK]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCMK]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCMK)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCMK), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json new file mode 100644 index 0000000000..357c0a1aec --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAPIMPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsAPIM": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsAPIM": "[concat('Enforce-GR-APIM', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for API Management.", + "displayName": "Enforce recommended guardrails for API Management" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for API Management.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsAPIM))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsAPIM]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsAPIM]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsAPIM)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsAPIM), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json new file mode 100644 index 0000000000..3969cc3787 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAppServicesPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsAppServices": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsAppServices": "[concat('Enforce-GR-AppServices', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for App Services.", + "displayName": "Enforce recommended guardrails for App Services" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for App Services.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsAppServices))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsAppServices]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsAppServices]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsAppServices)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsAppServices), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json new file mode 100644 index 0000000000..d43297d47d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsAutomationPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsAutomation": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsAutomation": "[concat('Enforce-GR-Automation', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Automation Accounts.", + "displayName": "Enforce recommended guardrails for Automation Accounts" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Automation Accounts.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsAutomation))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsAutomation]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsAutomation]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsAutomation)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsAutomation), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json new file mode 100644 index 0000000000..891aee217b --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCognitiveServices": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCognitiveServices": "[concat('Enforce-GR-CogServ', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Cognitive Services.", + "displayName": "Enforce recommended guardrails for Cognitive Services" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Cognitive Services.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCognitiveServices))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCognitiveServices]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCognitiveServices]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCognitiveServices)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCognitiveServices), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json new file mode 100644 index 0000000000..a507d822be --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsComputePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCompute": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCompute": "[concat('Enforce-GR-Compute', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Compute.", + "displayName": "Enforce recommended guardrails for Compute" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Compute.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCompute))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCompute]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCompute]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCompute)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCompute), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json new file mode 100644 index 0000000000..8305812e34 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerAppsPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsContainerApps": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsContainerApps": "[concat('Enforce-GR-ContApps', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Container Apps.", + "displayName": "Enforce recommended guardrails for Container Apps" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Container Apps.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsContainerApps))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsContainerApps]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsContainerApps]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsContainerApps)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsContainerApps), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json new file mode 100644 index 0000000000..90154b263d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerInstancePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsContainerInstance": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsContainerInstance": "[concat('Enforce-GR-ContInst', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Container Instance.", + "displayName": "Enforce recommended guardrails for Container Instance" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Container Instance.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsContainerInstance))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsContainerInstance]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsContainerInstance]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsContainerInstance)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsContainerInstance), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json new file mode 100644 index 0000000000..5679741c18 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsContainerRegistry": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsContainerRegistry": "[concat('Enforce-GR-ContReg', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Container Registry.", + "displayName": "Enforce recommended guardrails for Container Registry" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Container Registry.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsContainerRegistry))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsContainerRegistry]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsContainerRegistry]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsContainerRegistry)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsContainerRegistry), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json new file mode 100644 index 0000000000..de4798bbbd --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsCosmosDbPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsCosmosDb": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsCosmosDb": "[concat('Enforce-GR-CosmosDb', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Cosmos DB.", + "displayName": "Enforce recommended guardrails for Cosmos DB" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Cosmos DB.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsCosmosDb))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsCosmosDb]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsCosmosDb]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsCosmosDb)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsCosmosDb), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json new file mode 100644 index 0000000000..cac0a40e1f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataExplorerPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsDataExplorer": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsDataExplorer": "[concat('Enforce-GR-DataExpl', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Data Explorer.", + "displayName": "Enforce recommended guardrails for Data Explorer" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Data Explorer.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsDataExplorer))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsDataExplorer]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsDataExplorer]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsDataExplorer)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsDataExplorer), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json new file mode 100644 index 0000000000..2991f85509 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsDataFactoryPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsDataFactory": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsDataFactory": "[concat('Enforce-GR-DataFactory', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Data Factory.", + "displayName": "Enforce recommended guardrails for Data Factory" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Data Factory.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsDataFactory))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsDataFactory]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsDataFactory]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsDataFactory)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsDataFactory), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json new file mode 100644 index 0000000000..20aa445ca6 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventGridPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsEventGrid": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsEventGrid": "[concat('Enforce-GR-EventGrid', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Event Grid.", + "displayName": "Enforce recommended guardrails for Event Grid" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Event Grid.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsEventGrid))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsEventGrid]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsEventGrid]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsEventGrid)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsEventGrid), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json new file mode 100644 index 0000000000..538e190e28 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsEventHubPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsEventHub": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsEventHub": "[concat('Enforce-GR-EventHub', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Event Hub.", + "displayName": "Enforce recommended guardrails for Event Hub" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Event Hub.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsEventHub))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsEventHub]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsEventHub]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsEventHub)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsEventHub), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json similarity index 54% rename from eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json rename to eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json index 5e883c03e9..776ccbe064 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json @@ -15,30 +15,39 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { "policyDefinitions": { - "denyRdp": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet')]" - }, + "enforceGuardrailsKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault')]" + }, "policyAssignmentNames": { - "denyRdp": "Deny-RDP-from-internet", - "description": "This policy denies any network security rule that allows RDP access from Internet", - "displayName": "RDP access from the Internet should be blocked" + "enforceGuardrailsKeyVault": "Enforce-GR-KeyVault", + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.", + "displayName": "Enforce recommended guardrails for Azure Key Vault" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Azure Key Vault.", + "Default": "must", + "DoNotEnforce": "should" } }, "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", - "name": "[variables('policyAssignmentNames').denyRdp]", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsKeyVault]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", - "policyDefinitionId": "[variables('policyDefinitions').denyRdp]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKeyVault]", "enforcementMode": "[parameters('enforcementMode')]" } } ], "outputs": {} -} \ No newline at end of file +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json new file mode 100644 index 0000000000..00b01aa98d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsKeyVaultSup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsKeyVaultSup": "[concat('Enforce-GR-KeyVaultSup', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Key Vault Supplementary.", + "displayName": "Enforce recommended guardrails for Key Vault Supplementary" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Key Vault Supplementary.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKeyVaultSup]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsKeyVaultSup), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json new file mode 100644 index 0000000000..06119cf2a8 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKubernetesPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsKubernetes": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsKubernetes": "[concat('Enforce-GR-Kubernetes', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Kubernetes.", + "displayName": "Enforce recommended guardrails for Kubernetes" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Kubernetes.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsKubernetes))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsKubernetes]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKubernetes]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsKubernetes)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsKubernetes), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json new file mode 100644 index 0000000000..15f6121759 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMachineLearningPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsMachineLearning": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsMachineLearning": "[concat('Enforce-GR-MachLearn', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Machine Learning.", + "displayName": "Enforce recommended guardrails for Machine Learning" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Machine Learning.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsMachineLearning))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsMachineLearning]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsMachineLearning]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsMachineLearning)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsMachineLearning), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json new file mode 100644 index 0000000000..9a4c3f61e6 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsMySQLPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsMySQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsMySQL": "[concat('Enforce-GR-MySQL', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for MySQL.", + "displayName": "Enforce recommended guardrails for MySQL" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for MySQL.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsMySQL))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsMySQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsMySQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsMySQL)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsMySQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json new file mode 100644 index 0000000000..8caedd913f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsNetworkPolicyAssignment.json @@ -0,0 +1,92 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsNetwork": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsNetwork": "[concat('Enforce-GR-Network', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Network and Networking services.", + "displayName": "Enforce recommended guardrails for Network and Networking services" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Network and Networking services.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsNetwork))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsNetwork]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsNetwork]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "ddosPlanResourceId": { + "value": "[parameters('ddosPlanResourceId')]" + } + }, + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsNetwork)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsNetwork), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json new file mode 100644 index 0000000000..d8c8a3e443 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsOpenAIPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsOpenAI": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsOpenAI": "[concat('Enforce-GR-OpenAI', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for OpenAI.", + "displayName": "Enforce recommended guardrails for OpenAI" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for OpenAI.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsOpenAI))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsOpenAI]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsOpenAI]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsOpenAI)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsOpenAI), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json new file mode 100644 index 0000000000..620aa456f1 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsPostgreSQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsPostgreSQL": "[concat('Enforce-GR-PostgreSQL', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for PostgreSQL.", + "displayName": "Enforce recommended guardrails for PostgreSQL" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for PostgreSQL.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsPostgreSQL))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsPostgreSQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsPostgreSQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsPostgreSQL)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsPostgreSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json new file mode 100644 index 0000000000..b1f5c74a60 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSQLPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsSQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsSQL": "[concat('Enforce-GR-SQL', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for SQL.", + "displayName": "Enforce recommended guardrails for SQL" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for SQL.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsSQL))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsSQL]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsSQL]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsSQL)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsSQL), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json new file mode 100644 index 0000000000..235ac1b028 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsServiceBusPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsServiceBus": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsServiceBus": "[concat('Enforce-GR-ServiceBus', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Service Bus.", + "displayName": "Enforce recommended guardrails for Service Bus" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Service Bus.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsServiceBus))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsServiceBus]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsServiceBus]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsServiceBus)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsServiceBus), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json new file mode 100644 index 0000000000..cc2c0ed034 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsStorage": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsStorage": "[concat('Enforce-GR-Storage', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Storage.", + "displayName": "Enforce recommended guardrails for Storage" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Storage.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsStorage))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsStorage]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsStorage]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsStorage)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsStorage), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json new file mode 100644 index 0000000000..ea5f22e79d --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsSynapse": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsSynapse": "[concat('Enforce-GR-Synapse', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Synapse.", + "displayName": "Enforce recommended guardrails for Synapse" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Synapse.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsSynapse))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsSynapse]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsSynapse]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsSynapse)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsSynapse), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json new file mode 100644 index 0000000000..37c9c780e6 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assignmentIndex": { + "type": "int", + "defaultValue": 0 + } + }, + "variables": { + "policyDefinitions": { + "enforceGuardrailsVirtualDesktop": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop')]" + }, + "policyAssignmentNames": { + "enforceGuardrailsVirtualDesktop": "[concat('Enforce-GR-VirtualDesk', parameters('assignmentIndex'))]", + "description": "This initiative assignment enables additional ALZ guardrails for Virtual Desktop.", + "displayName": "Enforce recommended guardrails for Virtual Desktop" + }, + "nonComplianceMessage": { + "message": "Recommended guardrails {enforcementMode} be enforced for Virtual Desktop.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsVirtualDesktop]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceGuardrailsVirtualDesktop), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json new file mode 100644 index 0000000000..1d4a90f7bb --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json @@ -0,0 +1,4351 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "policySetDefinitionId": { + "type": "string", + "metadata": { + "description": "Resource ID of the Policy Initative (Set Definition)" + } + }, + "policySetDefinitionDisplayName": { + "type": "string", + "metadata": { + "description": "The Display Name for the Policy Initative (Set Definition)" + } + }, + "policySetDefinitionDescription": { + "type": "string", + "metadata": { + "description": "The Description for the Policy Initative (Set Definition)" + } + }, + "policyAssignmentName": { + "type": "string", + "metadata": { + "description": "The name for the Policy Assignment" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "logAnalyticsWorkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The Resource ID of the Log Analytics Workspace" + } + }, + "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParAusGovIsmRestrictedResourceTypes": { + "type": "string", + "defaultValue": "all" + }, + "regCompPolParMPAACertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAAResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParMPAARBatchMetricName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSovBaseConfRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSovBaseGlobalRegions": { + "type": "array", + "defaultValue": [] + }, + "regCompPolParSwift2020VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSwift2020DomainFqdn": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCanadaFedPbmmVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCisV2KeyVaultKeysRotateDays": { + "type": "int", + "defaultValue": 90 + }, + "regCompPolParCmmcL3VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParCmmcL3VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaApplicationName": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaStoragePrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaResGroupPrefix": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParHitrustHipaaCertificateThumb": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParIrs1075Sep2016VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNZIsmRestrictedVmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsExclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParNistSp800171R2VmAdminsInclude": { + "type": "string", + "defaultValue": "" + }, + "regCompPolParSoc2Type2AllowedRegistries": { + "type": "string", + "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$" + }, + "regCompPolParSoc2Type2MaxCpuUnits": { + "type": "string", + "defaultValue": "200m" + }, + "regCompPolParSoc2Type2MaxMemoryBytes": { + "type": "string", + "defaultValue": "1Gi" + } + }, + "variables": { + "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), parameters('policyAssignmentName')))]" + }, + "knownPolicyInitativeDefinitionIdsThatRequireParamaeters": [ + "/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077", + "/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8", + "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea", + "/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523", + "/providers/Microsoft.Authorization/policySetDefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22", + "/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87", + "/providers/Microsoft.Authorization/policySetDefinitions/06f19060-9e68-4070-92ca-f15cc126059e", + "/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de", + "/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab", + "/providers/Microsoft.Authorization/policySetDefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d", + "/providers/Microsoft.Authorization/policySetDefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a", + "/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9", + "/providers/Microsoft.Authorization/policySetDefinitions/4054785f-702b-4a98-9215-009cbd58b141" + ], + "allResourceTypes": [ + "Microsoft.Security/operations", + "Microsoft.Security/securityStatuses", + "Microsoft.Security/tasks", + "Microsoft.Security/secureScores", + "Microsoft.Security/secureScores/secureScoreControls", + "Microsoft.Security/secureScoreControls", + "Microsoft.Security/secureScoreControlDefinitions", + "Microsoft.Security/connectors", + "Microsoft.Security/regulatoryComplianceStandards", + "Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls", + "Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls/regulatoryComplianceAssessments", + "Microsoft.Security/alerts", + "Microsoft.Security/alertsSuppressionRules", + "Microsoft.Security/autoDismissAlertsRules", + "Microsoft.Security/dataCollectionAgents", + "Microsoft.Security/pricings", + "Microsoft.Security/pricings/securityOperators", + "Microsoft.Security/AutoProvisioningSettings", + "Microsoft.Security/MdeOnboardings", + "Microsoft.Security/vmScanners", + "Microsoft.Security/Compliances", + "Microsoft.Security/securityContacts", + "Microsoft.Security/workspaceSettings", + "Microsoft.Security/complianceResults", + "Microsoft.Security/policies", + "Microsoft.Security/assessments", + "Microsoft.Security/governanceRules", + "Microsoft.Security/assessments/governanceAssignments", + "Microsoft.Security/assessmentMetadata", + "Microsoft.Security/subAssessments", + "Microsoft.Security/securitySolutions", + "Microsoft.Security/locations/securitySolutions", + "Microsoft.Security/discoveredSecuritySolutions", + "Microsoft.Security/locations/discoveredSecuritySolutions", + "Microsoft.Security/allowedConnections", + "Microsoft.Security/locations/allowedConnections", + "Microsoft.Security/topologies", + "Microsoft.Security/locations/topologies", + "Microsoft.Security/securitySolutionsReferenceData", + "Microsoft.Security/locations/securitySolutionsReferenceData", + "Microsoft.Security/jitPolicies", + "Microsoft.Security/jitNetworkAccessPolicies", + "Microsoft.Security/locations/jitNetworkAccessPolicies", + "Microsoft.Security/locations", + "Microsoft.Security/securityStatusesSummaries", + "Microsoft.Security/applicationWhitelistings", + "Microsoft.Security/locations/applicationWhitelistings", + "Microsoft.Security/locations/alerts", + "Microsoft.Security/locations/tasks", + "Microsoft.Security/externalSecuritySolutions", + "Microsoft.Security/locations/externalSecuritySolutions", + "Microsoft.Security/InformationProtectionPolicies", + "Microsoft.Security/advancedThreatProtectionSettings", + "Microsoft.Security/sqlVulnerabilityAssessments", + "Microsoft.Security/deviceSecurityGroups", + "Microsoft.Security/iotSecuritySolutions", + "Microsoft.Security/iotSecuritySolutions/analyticsModels", + "Microsoft.Security/iotSecuritySolutions/iotAlertTypes", + "Microsoft.Security/iotSecuritySolutions/iotAlerts", + "Microsoft.Security/iotSecuritySolutions/iotRecommendationTypes", + "Microsoft.Security/iotSecuritySolutions/iotRecommendations", + "Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedAlerts", + "Microsoft.Security/iotSecuritySolutions/analyticsModels/aggregatedRecommendations", + "Microsoft.Security/settings", + "Microsoft.Security/serverVulnerabilityAssessments", + "Microsoft.Security/serverVulnerabilityAssessmentsSettings", + "Microsoft.Security/adaptiveNetworkHardenings", + "Microsoft.Security/automations", + "Microsoft.Security/defenderForStorageSettings", + "Microsoft.Security/dataScanners", + "Microsoft.Security/securityConnectors", + "Microsoft.Security/securityConnectors/devops", + "Microsoft.Security/customRecommendations", + "Microsoft.Security/customAssessmentAutomations", + "Microsoft.Security/securityStandards", + "Microsoft.Security/standards", + "Microsoft.Security/standardAssignments", + "Microsoft.Security/assignments", + "Microsoft.Security/sensitivitySettings", + "Microsoft.Security/query", + "Microsoft.Security/applications", + "Microsoft.Security/apiCollections", + "Microsoft.Security/healthReports", + "Microsoft.Security/aggregations", + "Microsoft.Security/integrations", + "Microsoft.PolicyInsights/policyEvents", + "Microsoft.PolicyInsights/policyStates", + "Microsoft.PolicyInsights/operations", + "Microsoft.PolicyInsights/asyncOperationResults", + "Microsoft.PolicyInsights/remediations", + "Microsoft.PolicyInsights/eventGridFilters", + "Microsoft.PolicyInsights/checkPolicyRestrictions", + "Microsoft.PolicyInsights/policyTrackedResources", + "Microsoft.PolicyInsights/policyMetadata", + "Microsoft.Management/resources", + "Microsoft.Management/managementGroups", + "Microsoft.Management/getEntities", + "Microsoft.Management/managementGroups/settings", + "Microsoft.Management/checkNameAvailability", + "Microsoft.Management/operationResults", + "Microsoft.Management/operationResults/asyncOperation", + "Microsoft.Management/operations", + "Microsoft.Management/tenantBackfillStatus", + "Microsoft.Management/startTenantBackfill", + "Microsoft.Storage/storageAccounts/storageTaskAssignments", + "Microsoft.Storage/storageAccounts/encryptionScopes", + "Microsoft.Storage/deletedAccounts", + "Microsoft.Storage/locations/deletedAccounts", + "Microsoft.Storage/storageAccounts", + "Microsoft.Storage/storageTasks", + "Microsoft.Storage/operations", + "Microsoft.Storage/locations/asyncoperations", + "Microsoft.Storage/storageAccounts/listAccountSas", + "Microsoft.Storage/storageAccounts/listServiceSas", + "Microsoft.Storage/storageAccounts/blobServices", + "Microsoft.Storage/storageAccounts/tableServices", + "Microsoft.Storage/storageAccounts/queueServices", + "Microsoft.Storage/storageAccounts/fileServices", + "Microsoft.Storage/locations", + "Microsoft.Storage/locations/usages", + "Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.Storage/usages", + "Microsoft.Storage/checkNameAvailability", + "Microsoft.Storage/locations/checkNameAvailability", + "Microsoft.Storage/storageAccounts/services", + "Microsoft.Storage/storageAccounts/services/metricDefinitions", + "Microsoft.Storage/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.OperationalInsights/workspaces", + "Microsoft.OperationalInsights/querypacks", + "Microsoft.OperationalInsights/locations", + "Microsoft.OperationalInsights/locations/operationStatuses", + "Microsoft.OperationalInsights/workspaces/scopedPrivateLinkProxies", + "Microsoft.OperationalInsights/workspaces/api", + "Microsoft.OperationalInsights/workspaces/query", + "Microsoft.OperationalInsights/workspaces/metadata", + "Microsoft.OperationalInsights/workspaces/purge", + "Microsoft.OperationalInsights/workspaces/operations", + "Microsoft.OperationalInsights/workspaces/dataSources", + "Microsoft.OperationalInsights/workspaces/linkedStorageAccounts", + "Microsoft.OperationalInsights/workspaces/tables", + "Microsoft.OperationalInsights/workspaces/storageInsightConfigs", + "Microsoft.OperationalInsights/storageInsightConfigs", + "Microsoft.OperationalInsights/workspaces/linkedServices", + "Microsoft.OperationalInsights/linkTargets", + "Microsoft.OperationalInsights/deletedWorkspaces", + "Microsoft.OperationalInsights/operations", + "Microsoft.OperationalInsights/clusters", + "Microsoft.OperationalInsights/workspaces/dataExports", + "Microsoft.OperationalInsights/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Automation/automationAccounts", + "Microsoft.Automation/deletedAutomationAccounts", + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/configurations", + "Microsoft.Automation/automationAccounts/webhooks", + "Microsoft.Automation/operations", + "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations", + "Microsoft.Automation/automationAccounts/softwareUpdateConfigurationRuns", + "Microsoft.Automation/automationAccounts/softwareUpdateConfigurationMachineRuns", + "Microsoft.Automation/automationAccounts/jobs", + "Microsoft.Automation/automationAccounts/privateLinkResources", + "Microsoft.Automation/automationAccounts/privateEndpointConnections", + "Microsoft.Automation/automationAccounts/privateEndpointConnectionProxies", + "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups", + "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers", + "Microsoft.Automation/automationAccounts/agentRegistrationInformation", + "Microsoft.Network/virtualNetworkGateways", + "Microsoft.Network/localNetworkGateways", + "Microsoft.Network/connections", + "Microsoft.Network/applicationGateways", + "Microsoft.Network/expressRouteCircuits", + "Microsoft.Network/expressRouteServiceProviders", + "Microsoft.Network/applicationGatewayAvailableWafRuleSets", + "Microsoft.Network/applicationGatewayAvailableSslOptions", + "Microsoft.Network/applicationGatewayAvailableServerVariables", + "Microsoft.Network/applicationGatewayAvailableRequestHeaders", + "Microsoft.Network/applicationGatewayAvailableResponseHeaders", + "Microsoft.Network/routeFilters", + "Microsoft.Network/bgpServiceCommunities", + "Microsoft.Network/vpnSites", + "Microsoft.Network/vpnServerConfigurations", + "Microsoft.Network/virtualHubs", + "Microsoft.Network/vpnGateways", + "Microsoft.Network/p2sVpnGateways", + "Microsoft.Network/expressRouteGateways", + "Microsoft.Network/expressRoutePortsLocations", + "Microsoft.Network/expressRoutePorts", + "Microsoft.Network/securityPartnerProviders", + "Microsoft.Network/azureFirewalls", + "Microsoft.Network/azureFirewallFqdnTags", + "Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies", + "Microsoft.Network/locations/ApplicationGatewayWafDynamicManifests", + "Microsoft.Network/virtualWans", + "Microsoft.Network/bastionHosts", + "Microsoft.Network/queryExpressRoutePortsBandwidth", + "Microsoft.Network/trafficmanagerprofiles", + "Microsoft.Network/trafficmanagerprofiles/heatMaps", + "Microsoft.Network/trafficmanagerprofiles/azureendpoints", + "Microsoft.Network/trafficmanagerprofiles/externalendpoints", + "Microsoft.Network/trafficmanagerprofiles/nestedendpoints", + "Microsoft.Network/checkTrafficManagerNameAvailability", + "Microsoft.Network/checkTrafficManagerNameAvailabilityV2", + "Microsoft.Network/trafficManagerUserMetricsKeys", + "Microsoft.Network/trafficManagerGeographicHierarchies", + "Microsoft.Network/expressRouteProviderPorts", + "Microsoft.Network/locations/hybridEdgeZone", + "Microsoft.Network/firewallPolicies", + "Microsoft.Network/ipGroups", + "Microsoft.Network/azureWebCategories", + "Microsoft.Network/locations/nfvOperations", + "Microsoft.Network/locations/nfvOperationResults", + "Microsoft.Network/virtualRouters", + "Microsoft.Network/networkVirtualAppliances", + "Microsoft.Network/networkVirtualApplianceSkus", + "Microsoft.Network/frontdoorOperationResults", + "Microsoft.Network/checkFrontdoorNameAvailability", + "Microsoft.Network/frontdoors", + "Microsoft.Network/frontdoors/frontendEndpoints", + "Microsoft.Network/frontdoors/frontendEndpoints/customHttpsConfiguration", + "Microsoft.Network/frontdoorWebApplicationFirewallPolicies", + "Microsoft.Network/frontdoorWebApplicationFirewallManagedRuleSets", + "Microsoft.Network/networkExperimentProfiles", + "Microsoft.Network/networkManagers", + "Microsoft.Network/networkManagerConnections", + "Microsoft.Network/networkSecurityPerimeters", + "Microsoft.Network/locations/perimeterAssociableResourceTypes", + "Microsoft.Network/locations/queryNetworkSecurityPerimeter", + "Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveConnectivityConfigurations", + "Microsoft.Network/virtualNetworks/listNetworkManagerEffectiveSecurityAdminRules", + "Microsoft.Network/networkGroupMemberships", + "Microsoft.Network/locations/commitInternalAzureNetworkManagerConfiguration", + "Microsoft.Network/locations/internalAzureVirtualNetworkManagerOperation", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateDnsOperationResults", + "Microsoft.Network/privateDnsOperationStatuses", + "Microsoft.Network/privateDnsZonesInternal", + "Microsoft.Network/privateDnsZones/A", + "Microsoft.Network/privateDnsZones/AAAA", + "Microsoft.Network/privateDnsZones/CNAME", + "Microsoft.Network/privateDnsZones/PTR", + "Microsoft.Network/privateDnsZones/MX", + "Microsoft.Network/privateDnsZones/TXT", + "Microsoft.Network/privateDnsZones/SRV", + "Microsoft.Network/privateDnsZones/SOA", + "Microsoft.Network/privateDnsZones/all", + "Microsoft.Network/virtualNetworks/privateDnsZoneLinks", + "Microsoft.Network/dnsResolvers", + "Microsoft.Network/dnsResolvers/inboundEndpoints", + "Microsoft.Network/dnsResolvers/outboundEndpoints", + "Microsoft.Network/dnsForwardingRulesets", + "Microsoft.Network/dnsForwardingRulesets/forwardingRules", + "Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks", + "Microsoft.Network/virtualNetworks/listDnsResolvers", + "Microsoft.Network/virtualNetworks/listDnsForwardingRulesets", + "Microsoft.Network/locations/dnsResolverOperationResults", + "Microsoft.Network/locations/dnsResolverOperationStatuses", + "Microsoft.Network/locations/dnsResolverPolicyOperationResults", + "Microsoft.Network/locations/dnsResolverPolicyOperationStatuses", + "Microsoft.Network/dnszones", + "Microsoft.Network/dnsOperationResults", + "Microsoft.Network/dnsOperationStatuses", + "Microsoft.Network/getDnsResourceReference", + "Microsoft.Network/internalNotify", + "Microsoft.Network/dnszones/A", + "Microsoft.Network/dnszones/AAAA", + "Microsoft.Network/dnszones/CNAME", + "Microsoft.Network/dnszones/PTR", + "Microsoft.Network/dnszones/MX", + "Microsoft.Network/dnszones/TXT", + "Microsoft.Network/dnszones/SRV", + "Microsoft.Network/dnszones/SOA", + "Microsoft.Network/dnszones/NS", + "Microsoft.Network/dnszones/CAA", + "Microsoft.Network/dnszones/DS", + "Microsoft.Network/dnszones/TLSA", + "Microsoft.Network/dnszones/NAPTR", + "Microsoft.Network/dnszones/recordsets", + "Microsoft.Network/dnszones/all", + "Microsoft.Network/dnszones/dnssecConfigs", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/taggedTrafficConsumers", + "Microsoft.Network/natGateways", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/internalPublicIpAddresses", + "Microsoft.Network/customIpPrefixes", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/dscpConfigurations", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateLinkServiceProxies", + "Microsoft.Network/privateEndpointRedirectMaps", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/applicationSecurityGroups", + "Microsoft.Network/serviceEndpointPolicies", + "Microsoft.Network/networkIntentPolicies", + "Microsoft.Network/routeTables", + "Microsoft.Network/publicIPPrefixes", + "Microsoft.Network/networkWatchers", + "Microsoft.Network/networkWatchers/connectionMonitors", + "Microsoft.Network/networkWatchers/flowLogs", + "Microsoft.Network/networkWatchers/pingMeshes", + "Microsoft.Network/locations", + "Microsoft.Network/locations/operations", + "Microsoft.Network/locations/operationResults", + "Microsoft.Network/locations/CheckDnsNameAvailability", + "Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses", + "Microsoft.Network/cloudServiceSlots", + "Microsoft.Network/locations/usages", + "Microsoft.Network/locations/virtualNetworkAvailableEndpointServices", + "Microsoft.Network/locations/availableDelegations", + "Microsoft.Network/locations/serviceTags", + "Microsoft.Network/locations/availablePrivateEndpointTypes", + "Microsoft.Network/locations/availableServiceAliases", + "Microsoft.Network/locations/checkPrivateLinkServiceVisibility", + "Microsoft.Network/locations/autoApprovedPrivateLinkServices", + "Microsoft.Network/locations/batchValidatePrivateEndpointsForResourceMove", + "Microsoft.Network/locations/batchNotifyPrivateEndpointsForResourceMove", + "Microsoft.Network/locations/supportedVirtualMachineSizes", + "Microsoft.Network/locations/setAzureNetworkManagerConfiguration", + "Microsoft.Network/locations/publishResources", + "Microsoft.Network/locations/getAzureNetworkManagerConfiguration", + "Microsoft.Network/locations/checkAcceleratedNetworkingSupport", + "Microsoft.Network/locations/validateResourceOwnership", + "Microsoft.Network/locations/setResourceOwnership", + "Microsoft.Network/locations/effectiveResourceOwnership", + "Microsoft.Network/operations", + "Microsoft.Network/virtualNetworkTaps", + "Microsoft.Network/privateLinkServices", + "Microsoft.Network/locations/privateLinkServices", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/networkProfiles", + "Microsoft.Network/locations/bareMetalTenants", + "Microsoft.Network/ipAllocations", + "Microsoft.Network/locations/serviceTagDetails", + "Microsoft.Network/locations/dataTasks", + "Microsoft.Network/locations/startPacketTagging", + "Microsoft.Network/locations/deletePacketTagging", + "Microsoft.Network/locations/getPacketTagging", + "Microsoft.Network/locations/rnmEffectiveRouteTable", + "Microsoft.Network/locations/rnmEffectiveNetworkSecurityGroups", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/operations", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachines/VMApplications", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/payloadGroups", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/disks", + "Microsoft.Compute/snapshots", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachineScaleSets/disks", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/images", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.ResourceHealth/availabilityStatuses", + "Microsoft.ResourceHealth/childAvailabilityStatuses", + "Microsoft.ResourceHealth/childResources", + "Microsoft.ResourceHealth/events", + "Microsoft.ResourceHealth/metadata", + "Microsoft.ResourceHealth/emergingissues", + "Microsoft.ResourceHealth/operations", + "microsoft.insights/components", + "microsoft.insights/components/query", + "microsoft.insights/components/metadata", + "microsoft.insights/components/metrics", + "microsoft.insights/components/events", + "microsoft.insights/components/syntheticmonitorlocations", + "microsoft.insights/components/analyticsItems", + "microsoft.insights/components/webtests", + "microsoft.insights/components/workItemConfigs", + "microsoft.insights/components/myFavorites", + "microsoft.insights/components/operations", + "microsoft.insights/components/exportConfiguration", + "microsoft.insights/components/purge", + "microsoft.insights/components/api", + "microsoft.insights/components/aggregate", + "microsoft.insights/components/metricDefinitions", + "microsoft.insights/components/extendQueries", + "microsoft.insights/components/apiKeys", + "microsoft.insights/components/myAnalyticsItems", + "microsoft.insights/components/favorites", + "microsoft.insights/components/defaultWorkItemConfig", + "microsoft.insights/components/annotations", + "microsoft.insights/components/proactiveDetectionConfigs", + "microsoft.insights/components/move", + "microsoft.insights/components/currentBillingFeatures", + "microsoft.insights/components/quotaStatus", + "microsoft.insights/components/featureCapabilities", + "microsoft.insights/components/getAvailableBillingFeatures", + "microsoft.insights/webtests", + "microsoft.insights/webtests/getTestResultFile", + "microsoft.insights/scheduledqueryrules", + "microsoft.insights/components/pricingPlans", + "microsoft.insights/migrateToNewPricingModel", + "microsoft.insights/rollbackToLegacyPricingModel", + "microsoft.insights/listMigrationdate", + "microsoft.insights/logprofiles", + "microsoft.insights/migratealertrules", + "microsoft.insights/metricalerts", + "microsoft.insights/alertrules", + "microsoft.insights/autoscalesettings", + "microsoft.insights/eventtypes", + "microsoft.insights/locations", + "microsoft.insights/locations/operationResults", + "microsoft.insights/vmInsightsOnboardingStatuses", + "microsoft.insights/operations", + "microsoft.insights/diagnosticSettings", + "microsoft.insights/diagnosticSettingsCategories", + "microsoft.insights/extendedDiagnosticSettings", + "microsoft.insights/metricDefinitions", + "microsoft.insights/logDefinitions", + "microsoft.insights/eventCategories", + "microsoft.insights/metrics", + "microsoft.insights/metricbatch", + "microsoft.insights/metricNamespaces", + "microsoft.insights/notificationstatus", + "microsoft.insights/createnotifications", + "microsoft.insights/tenantactiongroups", + "microsoft.insights/actiongroups", + "microsoft.insights/activityLogAlerts", + "microsoft.insights/metricbaselines", + "microsoft.insights/workbooks", + "microsoft.insights/workbooktemplates", + "microsoft.insights/myWorkbooks", + "microsoft.insights/logs", + "microsoft.insights/transactions", + "microsoft.insights/topology", + "microsoft.insights/generateLiveToken", + "microsoft.insights/monitoredObjects", + "microsoft.insights/dataCollectionRules", + "microsoft.insights/dataCollectionRuleAssociations", + "microsoft.insights/dataCollectionEndpoints", + "microsoft.insights/dataCollectionEndpoints/scopedPrivateLinkProxies", + "microsoft.insights/privateLinkScopes", + "microsoft.insights/privateLinkScopes/privateEndpointConnections", + "microsoft.insights/privateLinkScopes/privateEndpointConnectionProxies", + "microsoft.insights/privateLinkScopes/scopedResources", + "microsoft.insights/components/linkedstorageaccounts", + "microsoft.insights/privateLinkScopeOperationStatuses", + "microsoft.insights/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.ManagedServices/registrationDefinitions", + "Microsoft.ManagedServices/registrationAssignments", + "Microsoft.ManagedServices/operations", + "Microsoft.ManagedServices/marketplaceRegistrationDefinitions", + "Microsoft.ManagedServices/operationStatuses", + "Microsoft.HDInsight/clusters", + "Microsoft.HDInsight/clusters/applications", + "Microsoft.HDInsight/clusters/operationresults", + "Microsoft.HDInsight/locations", + "Microsoft.HDInsight/locations/capabilities", + "Microsoft.HDInsight/locations/usages", + "Microsoft.HDInsight/locations/billingSpecs", + "Microsoft.HDInsight/locations/operationresults", + "Microsoft.HDInsight/locations/azureasyncoperations", + "Microsoft.HDInsight/locations/validateCreateRequest", + "Microsoft.HDInsight/operations", + "Microsoft.HDInsight/locations/operationStatuses", + "Microsoft.HDInsight/clusterPools", + "Microsoft.HDInsight/clusterPools/clusters", + "Microsoft.HDInsight/locations/clusterOfferingVersions", + "Microsoft.HDInsight/locations/availableClusterPoolVersions", + "Microsoft.HDInsight/locations/availableClusterVersions", + "Microsoft.HDInsight/locations/checkNameAvailability", + "Microsoft.HDInsight/clusterPools/clusters/serviceConfigs", + "Microsoft.HDInsight/clusterPools/clusters/instanceViews", + "Microsoft.HDInsight/clusterPools/clusters/jobs", + "Microsoft.AlertsManagement/alerts", + "Microsoft.AlertsManagement/alertsSummary", + "Microsoft.AlertsManagement/smartGroups", + "Microsoft.AlertsManagement/smartDetectorAlertRules", + "Microsoft.AlertsManagement/migrateFromSmartDetection", + "Microsoft.AlertsManagement/actionRules", + "Microsoft.AlertsManagement/alertsMetaData", + "Microsoft.AlertsManagement/prometheusRuleGroups", + "Microsoft.AlertsManagement/operations", + "Microsoft.AlertsManagement/alertRuleRecommendations", + "Microsoft.AlertsManagement/tenantActivityLogAlerts", + "Microsoft.AlertsManagement/investigations", + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationsManagement/managementassociations", + "Microsoft.OperationsManagement/views", + "Microsoft.OperationsManagement/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/managedHSMs/keys", + "Microsoft.KeyVault/managedHSMs/keys/versions", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.ContainerService/ManagedClusters/eventGridFilters", + "Microsoft.ContainerService/fleetMemberships", + "Microsoft.ContainerService/fleets", + "Microsoft.ContainerService/fleets/members", + "Microsoft.ContainerService/fleets/updateRuns", + "Microsoft.ContainerService/fleets/updateStrategies", + "Microsoft.ContainerService/locations", + "Microsoft.ContainerService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.ContainerService/locations/operationresults", + "Microsoft.ContainerService/locations/operations", + "Microsoft.ContainerService/locations/orchestrators", + "Microsoft.ContainerService/locations/kubernetesVersions", + "Microsoft.ContainerService/locations/usages", + "Microsoft.ContainerService/locations/osOptions", + "Microsoft.ContainerService/locations/guardrailsVersions", + "Microsoft.ContainerService/locations/trustedAccessRoles", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedclustersnapshots", + "Microsoft.ContainerService/operations", + "Microsoft.ContainerService/snapshots", + "Microsoft.DesktopVirtualization/workspaces", + "Microsoft.DesktopVirtualization/applicationgroups", + "Microsoft.DesktopVirtualization/applicationgroups/applications", + "Microsoft.DesktopVirtualization/applicationgroups/desktops", + "Microsoft.DesktopVirtualization/applicationgroups/startmenuitems", + "Microsoft.DesktopVirtualization/hostpools", + "Microsoft.DesktopVirtualization/hostpools/msixpackages", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts", + "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions", + "Microsoft.DesktopVirtualization/hostpools/usersessions", + "Microsoft.DesktopVirtualization/scalingplans", + "Microsoft.DesktopVirtualization/appattachpackages", + "Microsoft.DesktopVirtualization/operations", + "Microsoft.SecurityInsights/operations", + "Microsoft.SecurityInsights/alertRules", + "Microsoft.SecurityInsights/alertRuleTemplates", + "Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns", + "Microsoft.SecurityInsights/cases", + "Microsoft.SecurityInsights/bookmarks", + "Microsoft.SecurityInsights/dataConnectors", + "Microsoft.SecurityInsights/dataConnectorDefinitions", + "Microsoft.SecurityInsights/dataConnectorsCheckRequirements", + "Microsoft.SecurityInsights/enrichment", + "Microsoft.SecurityInsights/fileImports", + "Microsoft.SecurityInsights/entities", + "Microsoft.SecurityInsights/incidents", + "Microsoft.SecurityInsights/officeConsents", + "Microsoft.SecurityInsights/settings", + "Microsoft.SecurityInsights/aggregations", + "Microsoft.SecurityInsights/entityQueries", + "Microsoft.SecurityInsights/entityQueryTemplates", + "Microsoft.SecurityInsights/threatIntelligence", + "Microsoft.SecurityInsights/automationRules", + "Microsoft.SecurityInsights/sourceControls", + "Microsoft.SecurityInsights/exportConnections", + "Microsoft.SecurityInsights/listrepositories", + "Microsoft.SecurityInsights/watchlists", + "Microsoft.SecurityInsights/confidentialWatchlists", + "Microsoft.SecurityInsights/huntsessions", + "Microsoft.SecurityInsights/dynamicSummaries", + "Microsoft.SecurityInsights/hunts", + "Microsoft.SecurityInsights/onboardingStates", + "Microsoft.SecurityInsights/metadata", + "Microsoft.SecurityInsights/contentPackages", + "Microsoft.SecurityInsights/contentTemplates", + "Microsoft.SecurityInsights/contentProductPackages", + "Microsoft.SecurityInsights/contentProductTemplates", + "Microsoft.SecurityInsights/MitreCoverageRecords", + "Microsoft.SecurityInsights/overview", + "Microsoft.SecurityInsights/recommendations", + "Microsoft.SecurityInsights/billingStatistics", + "Microsoft.SecurityInsights/workspaceManagerConfigurations", + "Microsoft.SecurityInsights/workspaceManagerMembers", + "Microsoft.SecurityInsights/workspaceManagerGroups", + "Microsoft.SecurityInsights/workspaceManagerAssignments", + "Microsoft.SecurityInsights/securityMLAnalyticsSettings", + "Microsoft.SecurityInsights/contenttranslators", + "Microsoft.ServiceFabric/clusters", + "Microsoft.ServiceFabric/clusters/applications", + "Microsoft.ServiceFabric/clusters/applicationTypes", + "Microsoft.ServiceFabric/clusters/applicationTypes/versions", + "Microsoft.ServiceFabric/clusters/applications/services", + "Microsoft.ServiceFabric/locations", + "Microsoft.ServiceFabric/locations/clusterVersions", + "Microsoft.ServiceFabric/locations/environments", + "Microsoft.ServiceFabric/locations/operations", + "Microsoft.ServiceFabric/locations/operationResults", + "Microsoft.ServiceFabric/locations/unsupportedVMSizes", + "Microsoft.ServiceFabric/operations", + "Microsoft.ServiceFabric/managedclusters", + "Microsoft.ServiceFabric/managedclusters/nodetypes", + "Microsoft.ServiceFabric/managedclusters/applicationTypes", + "Microsoft.ServiceFabric/managedclusters/applicationTypes/versions", + "Microsoft.ServiceFabric/managedclusters/applications", + "Microsoft.ServiceFabric/managedclusters/applications/services", + "Microsoft.ServiceFabric/locations/managedClusterOperations", + "Microsoft.ServiceFabric/locations/managedClusterOperationResults", + "Microsoft.ServiceFabric/locations/managedClusterVersions", + "Microsoft.ServiceFabric/locations/environments/managedClusterVersions", + "Microsoft.ServiceFabric/locations/managedUnsupportedVMSizes", + "Microsoft.PowerBIDedicated/capacities", + "Microsoft.PowerBIDedicated/autoScaleVCores", + "Microsoft.PowerBIDedicated/locations", + "Microsoft.PowerBIDedicated/locations/checkNameAvailability", + "Microsoft.PowerBIDedicated/locations/operationresults", + "Microsoft.PowerBIDedicated/locations/operationstatuses", + "Microsoft.PowerBIDedicated/operations", + "Microsoft.Logic/workflows", + "Microsoft.Logic/locations/workflows", + "Microsoft.Logic/locations/validateWorkflowExport", + "Microsoft.Logic/locations/workflowExport", + "Microsoft.Logic/locations", + "Microsoft.Logic/operations", + "Microsoft.Logic/integrationAccounts", + "Microsoft.Logic/integrationServiceEnvironments", + "Microsoft.Logic/integrationServiceEnvironments/managedApis", + "Microsoft.Logic/locations/generateCopilotResponse", + "Microsoft.MachineLearningServices/workspaces/batchEndpoints", + "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments", + "Microsoft.MachineLearningServices/workspaces", + "Microsoft.MachineLearningServices/registries", + "Microsoft.MachineLearningServices/locations/registryOperationsStatus", + "Microsoft.MachineLearningServices/workspaces/onlineEndpoints", + "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments", + "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/skus", + "Microsoft.MachineLearningServices/workspaces/computes", + "Microsoft.MachineLearningServices/workspaces/jobs", + "Microsoft.MachineLearningServices/workspaces/codes", + "Microsoft.MachineLearningServices/workspaces/codes/versions", + "Microsoft.MachineLearningServices/workspaces/components", + "Microsoft.MachineLearningServices/workspaces/components/versions", + "Microsoft.MachineLearningServices/workspaces/environments", + "Microsoft.MachineLearningServices/workspaces/environments/versions", + "Microsoft.MachineLearningServices/workspaces/data", + "Microsoft.MachineLearningServices/workspaces/data/versions", + "Microsoft.MachineLearningServices/workspaces/datasets", + "Microsoft.MachineLearningServices/workspaces/services", + "Microsoft.MachineLearningServices/workspaces/datastores", + "Microsoft.MachineLearningServices/workspaces/eventGridFilters", + "Microsoft.MachineLearningServices/workspaces/models", + "Microsoft.MachineLearningServices/workspaces/models/versions", + "Microsoft.MachineLearningServices/operations", + "Microsoft.MachineLearningServices/locations", + "Microsoft.MachineLearningServices/locations/computeOperationsStatus", + "Microsoft.MachineLearningServices/locations/mfeOperationResults", + "Microsoft.MachineLearningServices/locations/mfeOperationsStatus", + "Microsoft.MachineLearningServices/locations/workspaceOperationsStatus", + "Microsoft.MachineLearningServices/locations/usages", + "Microsoft.MachineLearningServices/locations/vmsizes", + "Microsoft.MachineLearningServices/locations/quotas", + "Microsoft.MachineLearningServices/locations/updatequotas", + "Microsoft.MachineLearningServices/workspaces/linkedServices", + "Microsoft.MachineLearningServices/workspaces/labelingJobs", + "Microsoft.MachineLearningServices/workspaces/schedules", + "Microsoft.MachineLearningServices/workspaces/featuresets", + "Microsoft.MachineLearningServices/workspaces/serverlessEndpoints", + "Microsoft.MachineLearningServices/workspaces/marketplaceSubscriptions", + "Microsoft.MachineLearningServices/workspaces/inferencePools", + "Microsoft.MachineLearningServices/workspaces/inferencePools/groups", + "Microsoft.MachineLearningServices/workspaces/inferencePools/endpoints", + "Microsoft.MachineLearningServices/workspaces/featuresets/versions", + "Microsoft.MachineLearningServices/workspaces/featurestoreEntities", + "Microsoft.MachineLearningServices/workspaces/featurestoreEntities/versions", + "Microsoft.MachineLearningServices/workspaces/endpoints", + "Microsoft.MachineLearningServices/registries/codes", + "Microsoft.MachineLearningServices/registries/codes/versions", + "Microsoft.MachineLearningServices/registries/components", + "Microsoft.MachineLearningServices/registries/components/versions", + "Microsoft.MachineLearningServices/registries/data", + "Microsoft.MachineLearningServices/registries/data/versions", + "Microsoft.MachineLearningServices/registries/datareferences", + "Microsoft.MachineLearningServices/registries/datareferences/versions", + "Microsoft.MachineLearningServices/registries/environments", + "Microsoft.MachineLearningServices/registries/environments/versions", + "Microsoft.MachineLearningServices/registries/models", + "Microsoft.MachineLearningServices/registries/models/versions", + "Microsoft.MachineLearningServices/capacityReservationGroups", + "Microsoft.ContainerInstance/containerGroups", + "Microsoft.ContainerInstance/serviceAssociationLinks", + "Microsoft.ContainerInstance/locations", + "Microsoft.ContainerInstance/locations/capabilities", + "Microsoft.ContainerInstance/locations/usages", + "Microsoft.ContainerInstance/locations/operations", + "Microsoft.ContainerInstance/locations/operationresults", + "Microsoft.ContainerInstance/operations", + "Microsoft.ContainerInstance/locations/cachedImages", + "Microsoft.ContainerInstance/locations/validateDeleteVirtualNetworkOrSubnets", + "Microsoft.ContainerInstance/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.ManagedIdentity/Identities", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.ManagedIdentity/operations", + "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", + "Microsoft.Cdn/profiles", + "Microsoft.Cdn/profiles/endpoints", + "Microsoft.Cdn/profiles/endpoints/origins", + "Microsoft.Cdn/profiles/endpoints/origingroups", + "Microsoft.Cdn/profiles/endpoints/customdomains", + "Microsoft.Cdn/operationresults", + "Microsoft.Cdn/operationresults/profileresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults/originresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults/origingroupresults", + "Microsoft.Cdn/operationresults/profileresults/endpointresults/customdomainresults", + "Microsoft.Cdn/checkNameAvailability", + "Microsoft.Cdn/checkEndpointNameAvailability", + "Microsoft.Cdn/checkResourceUsage", + "Microsoft.Cdn/validateProbe", + "Microsoft.Cdn/canMigrate", + "Microsoft.Cdn/migrate", + "Microsoft.Cdn/operations", + "Microsoft.Cdn/edgenodes", + "Microsoft.Cdn/CdnWebApplicationFirewallPolicies", + "Microsoft.Cdn/operationresults/cdnwebapplicationfirewallpolicyresults", + "Microsoft.Cdn/CdnWebApplicationFirewallManagedRuleSets", + "Microsoft.Cdn/profiles/afdendpoints", + "Microsoft.Cdn/profiles/afdendpoints/routes", + "Microsoft.Cdn/profiles/customdomains", + "Microsoft.Cdn/profiles/origingroups", + "Microsoft.Cdn/profiles/origingroups/origins", + "Microsoft.Cdn/profiles/rulesets", + "Microsoft.Cdn/profiles/rulesets/rules", + "Microsoft.Cdn/profiles/secrets", + "Microsoft.Cdn/validateSecret", + "Microsoft.Cdn/profiles/keygroups", + "Microsoft.Cdn/profiles/securitypolicies", + "Microsoft.Cdn/operationresults/profileresults/afdendpointresults", + "Microsoft.Cdn/operationresults/profileresults/afdendpointresults/routeresults", + "Microsoft.Cdn/operationresults/profileresults/customdomainresults", + "Microsoft.Cdn/operationresults/profileresults/origingroupresults", + "Microsoft.Cdn/operationresults/profileresults/origingroupresults/originresults", + "Microsoft.Cdn/operationresults/profileresults/rulesetresults", + "Microsoft.Cdn/operationresults/profileresults/rulesetresults/ruleresults", + "Microsoft.Cdn/operationresults/profileresults/secretresults", + "Microsoft.Cdn/operationresults/profileresults/securitypolicyresults", + "Microsoft.Cdn/profiles/policies", + "Microsoft.Cdn/profiles/networkpolicies", + "Microsoft.Cdn/operationresults/profileresults/policyresults", + "Microsoft.BotService/botServices", + "Microsoft.BotService/botServices/channels", + "Microsoft.BotService/botServices/connections", + "Microsoft.BotService/listAuthServiceProviders", + "Microsoft.BotService/listQnAMakerEndpointKeys", + "Microsoft.BotService/hostSettings", + "Microsoft.BotService/checkNameAvailability", + "Microsoft.BotService/locations", + "Microsoft.BotService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.BotService/operations", + "Microsoft.BotService/botServices/privateEndpointConnectionProxies", + "Microsoft.BotService/botServices/privateEndpointConnections", + "Microsoft.BotService/botServices/privateLinkResources", + "Microsoft.BotService/operationResults", + "Microsoft.Devices/checkNameAvailability", + "Microsoft.Devices/checkProvisioningServiceNameAvailability", + "Microsoft.Devices/usages", + "Microsoft.Devices/operations", + "Microsoft.Devices/operationResults", + "Microsoft.Devices/provisioningServiceOperationResults", + "Microsoft.Devices/locations/provisioningServiceOperationResults", + "Microsoft.Devices/locations", + "Microsoft.Devices/locations/operationResults", + "Microsoft.Devices/IotHubs", + "Microsoft.Devices/IotHubs/eventGridFilters", + "Microsoft.Devices/IotHubs/failover", + "Microsoft.Devices/ProvisioningServices", + "Microsoft.Devices/IotHubs/securitySettings", + "Microsoft.Databricks/workspaces", + "Microsoft.Databricks/accessConnectors", + "Microsoft.Databricks/workspaces/virtualNetworkPeerings", + "Microsoft.Databricks/workspaces/dbWorkspaces", + "Microsoft.Databricks/operations", + "Microsoft.Databricks/locations", + "Microsoft.Databricks/locations/operationstatuses", + "Microsoft.Databricks/locations/getNetworkPolicies", + "Microsoft.EventGrid/locations", + "Microsoft.EventGrid/locations/eventSubscriptions", + "Microsoft.EventGrid/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.EventGrid/eventSubscriptions", + "Microsoft.EventGrid/topics", + "Microsoft.EventGrid/domains", + "Microsoft.EventGrid/domains/topics", + "Microsoft.EventGrid/topicTypes", + "Microsoft.EventGrid/operations", + "Microsoft.EventGrid/locations/operationsStatus", + "Microsoft.EventGrid/locations/operationResults", + "Microsoft.EventGrid/locations/topicTypes", + "Microsoft.EventGrid/extensionTopics", + "Microsoft.EventGrid/operationResults", + "Microsoft.EventGrid/operationsStatus", + "Microsoft.EventGrid/systemTopics", + "Microsoft.EventGrid/systemTopics/eventSubscriptions", + "Microsoft.EventGrid/partnerRegistrations", + "Microsoft.EventGrid/partnerConfigurations", + "Microsoft.EventGrid/verifiedPartners", + "Microsoft.EventGrid/namespaces", + "Microsoft.EventGrid/partnerNamespaces", + "Microsoft.EventGrid/partnerTopics", + "Microsoft.EventGrid/partnerTopics/eventSubscriptions", + "Microsoft.EventGrid/partnerNamespaces/eventChannels", + "Microsoft.EventGrid/partnerNamespaces/channels", + "Microsoft.EventGrid/partnerDestinations", + "Microsoft.DBforPostgreSQL/operations", + "Microsoft.DBforPostgreSQL/servers", + "Microsoft.DBforPostgreSQL/serverGroupsv2", + "Microsoft.DBforPostgreSQL/flexibleServers", + "Microsoft.DBforPostgreSQL/locations/capabilities", + "Microsoft.DBforPostgreSQL/locations/checkNameAvailability", + "Microsoft.DBforPostgreSQL/servers/recoverableServers", + "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules", + "Microsoft.DBforPostgreSQL/checkNameAvailability", + "Microsoft.DBforPostgreSQL/availableEngineVersions", + "Microsoft.DBforPostgreSQL/getPrivateDnsZoneSuffix", + "Microsoft.DBforPostgreSQL/locations", + "Microsoft.DBforPostgreSQL/locations/operationResults", + "Microsoft.DBforPostgreSQL/locations/azureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/administratorOperationResults", + "Microsoft.DBforPostgreSQL/locations/administratorAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/checkVirtualNetworkSubnetUsage", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionOperationResults", + "Microsoft.DBforPostgreSQL/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/performanceTiers", + "Microsoft.DBforPostgreSQL/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/securityAlertPoliciesOperationResults", + "Microsoft.DBforPostgreSQL/locations/recommendedActionSessionsAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/recommendedActionSessionsOperationResults", + "Microsoft.DBforPostgreSQL/servers/topQueryStatistics", + "Microsoft.DBforPostgreSQL/servers/queryTexts", + "Microsoft.DBforPostgreSQL/servers/waitStatistics", + "Microsoft.DBforPostgreSQL/servers/resetQueryPerformanceInsightData", + "Microsoft.DBforPostgreSQL/servers/advisors", + "Microsoft.DBforPostgreSQL/servers/privateLinkResources", + "Microsoft.DBforPostgreSQL/servers/privateEndpointConnections", + "Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionProxies", + "Microsoft.DBforPostgreSQL/servers/keys", + "Microsoft.DBforPostgreSQL/locations/serverKeyAzureAsyncOperation", + "Microsoft.DBforPostgreSQL/locations/serverKeyOperationResults", + "Microsoft.DBforPostgreSQL/locations/getCachedServerName", + "Microsoft.TimeSeriesInsights/environments", + "Microsoft.TimeSeriesInsights/environments/eventsources", + "Microsoft.TimeSeriesInsights/environments/referenceDataSets", + "Microsoft.TimeSeriesInsights/environments/accessPolicies", + "Microsoft.TimeSeriesInsights/environments/privateLinkResources", + "Microsoft.TimeSeriesInsights/environments/privateEndpointConnectionProxies", + "Microsoft.TimeSeriesInsights/environments/privateEndpointConnections", + "Microsoft.TimeSeriesInsights/operations", + "Microsoft.DBforMariaDB/operations", + "Microsoft.DBforMariaDB/servers", + "Microsoft.DBforMariaDB/servers/recoverableServers", + "Microsoft.DBforMariaDB/servers/virtualNetworkRules", + "Microsoft.DBforMariaDB/checkNameAvailability", + "Microsoft.DBforMariaDB/locations", + "Microsoft.DBforMariaDB/locations/operationResults", + "Microsoft.DBforMariaDB/locations/azureAsyncOperation", + "Microsoft.DBforMariaDB/locations/performanceTiers", + "Microsoft.DBforMariaDB/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionOperationResults", + "Microsoft.DBforMariaDB/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/securityAlertPoliciesOperationResults", + "Microsoft.DBforMariaDB/locations/recommendedActionSessionsAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/recommendedActionSessionsOperationResults", + "Microsoft.DBforMariaDB/servers/topQueryStatistics", + "Microsoft.DBforMariaDB/servers/queryTexts", + "Microsoft.DBforMariaDB/servers/waitStatistics", + "Microsoft.DBforMariaDB/servers/resetQueryPerformanceInsightData", + "Microsoft.DBforMariaDB/servers/advisors", + "Microsoft.DBforMariaDB/servers/privateLinkResources", + "Microsoft.DBforMariaDB/servers/privateEndpointConnections", + "Microsoft.DBforMariaDB/servers/privateEndpointConnectionProxies", + "Microsoft.DBforMariaDB/servers/keys", + "Microsoft.DBforMariaDB/locations/serverKeyAzureAsyncOperation", + "Microsoft.DBforMariaDB/locations/serverKeyOperationResults", + "Microsoft.DBforMariaDB/servers/start", + "Microsoft.DBforMariaDB/servers/stop", + "Microsoft.Cache/Redis", + "Microsoft.Cache/Redis/privateEndpointConnectionProxies", + "Microsoft.Cache/Redis/privateEndpointConnectionProxies/validate", + "Microsoft.Cache/Redis/privateEndpointConnections", + "Microsoft.Cache/Redis/privateLinkResources", + "Microsoft.Cache/locations/asyncOperations", + "Microsoft.Cache/locations", + "Microsoft.Cache/locations/operationResults", + "Microsoft.Cache/locations/operationsStatus", + "Microsoft.Cache/checkNameAvailability", + "Microsoft.Cache/operations", + "Microsoft.Cache/redisEnterprise", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnectionProxies", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnectionProxies/validate", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnectionProxies/operationresults", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnections", + "Microsoft.Cache/RedisEnterprise/privateEndpointConnections/operationresults", + "Microsoft.Cache/RedisEnterprise/privateLinkResources", + "Microsoft.Cache/redisEnterprise/databases", + "Microsoft.Cache/locations/checkNameAvailability", + "Microsoft.Cache/Redis/EventGridFilters", + "Microsoft.RecoveryServices/vaults", + "Microsoft.RecoveryServices/operations", + "Microsoft.RecoveryServices/locations", + "Microsoft.RecoveryServices/locations/backupStatus", + "Microsoft.RecoveryServices/locations/checkNameAvailability", + "Microsoft.RecoveryServices/locations/allocatedStamp", + "Microsoft.RecoveryServices/locations/allocateStamp", + "Microsoft.RecoveryServices/locations/backupValidateFeatures", + "Microsoft.RecoveryServices/locations/backupPreValidateProtection", + "Microsoft.RecoveryServices/locations/backupCrrJobs", + "Microsoft.RecoveryServices/locations/backupCrrJob", + "Microsoft.RecoveryServices/locations/backupAadProperties", + "Microsoft.RecoveryServices/locations/backupCrossRegionRestore", + "Microsoft.RecoveryServices/locations/backupCrrOperationResults", + "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus", + "Microsoft.RecoveryServices/backupProtectedItems", + "Microsoft.RecoveryServices/replicationEligibilityResults", + "Microsoft.RecoveryServices/locations/capabilities", + "Microsoft.ServiceBus/namespaces", + "Microsoft.ServiceBus/namespaces/authorizationrules", + "Microsoft.ServiceBus/namespaces/networkrulesets", + "Microsoft.ServiceBus/namespaces/privateEndpointConnections", + "Microsoft.ServiceBus/namespaces/privateEndpointConnectionProxies", + "Microsoft.ServiceBus/namespaces/queues", + "Microsoft.ServiceBus/namespaces/queues/authorizationrules", + "Microsoft.ServiceBus/namespaces/topics", + "Microsoft.ServiceBus/namespaces/topics/authorizationrules", + "Microsoft.ServiceBus/namespaces/topics/subscriptions", + "Microsoft.ServiceBus/namespaces/topics/subscriptions/rules", + "Microsoft.ServiceBus/checkNamespaceAvailability", + "Microsoft.ServiceBus/checkNameAvailability", + "Microsoft.ServiceBus/sku", + "Microsoft.ServiceBus/premiumMessagingRegions", + "Microsoft.ServiceBus/operations", + "Microsoft.ServiceBus/namespaces/eventgridfilters", + "Microsoft.ServiceBus/namespaces/disasterrecoveryconfigs", + "Microsoft.ServiceBus/namespaces/migrationConfigurations", + "Microsoft.ServiceBus/namespaces/disasterrecoveryconfigs/checkNameAvailability", + "Microsoft.ServiceBus/locations", + "Microsoft.ServiceBus/locations/operationStatus", + "Microsoft.ServiceBus/locations/namespaceOperationResults", + "Microsoft.ServiceBus/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.ServiceFabricMesh/applications", + "Microsoft.ServiceFabricMesh/networks", + "Microsoft.ServiceFabricMesh/volumes", + "Microsoft.ServiceFabricMesh/secrets", + "Microsoft.ServiceFabricMesh/gateways", + "Microsoft.ServiceFabricMesh/locations", + "Microsoft.ServiceFabricMesh/locations/applicationOperations", + "Microsoft.ServiceFabricMesh/locations/networkOperations", + "Microsoft.ServiceFabricMesh/locations/volumeOperations", + "Microsoft.ServiceFabricMesh/locations/gatewayOperations", + "Microsoft.ServiceFabricMesh/locations/secretOperations", + "Microsoft.ServiceFabricMesh/operations", + "Microsoft.NotificationHubs/namespaces", + "Microsoft.NotificationHubs/namespaces/notificationHubs", + "Microsoft.NotificationHubs/checkNamespaceAvailability", + "Microsoft.NotificationHubs/checkNameAvailability", + "Microsoft.NotificationHubs/operations", + "Microsoft.ContainerRegistry/registries", + "Microsoft.ContainerRegistry/registries/cacheRules", + "Microsoft.ContainerRegistry/registries/credentialSets", + "Microsoft.ContainerRegistry/registries/connectedRegistries", + "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate", + "Microsoft.ContainerRegistry/registries/scopeMaps", + "Microsoft.ContainerRegistry/registries/tokens", + "Microsoft.ContainerRegistry/registries/generateCredentials", + "Microsoft.ContainerRegistry/registries/privateEndpointConnections", + "Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies", + "Microsoft.ContainerRegistry/registries/privateEndpointConnectionProxies/validate", + "Microsoft.ContainerRegistry/registries/privateLinkResources", + "Microsoft.ContainerRegistry/registries/importImage", + "Microsoft.ContainerRegistry/registries/exportPipelines", + "Microsoft.ContainerRegistry/registries/importPipelines", + "Microsoft.ContainerRegistry/registries/pipelineRuns", + "Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl", + "Microsoft.ContainerRegistry/registries/scheduleRun", + "Microsoft.ContainerRegistry/registries/runs", + "Microsoft.ContainerRegistry/registries/taskRuns", + "Microsoft.ContainerRegistry/registries/taskRuns/listDetails", + "Microsoft.ContainerRegistry/registries/agentPools", + "Microsoft.ContainerRegistry/registries/agentPoolsOperationResults", + "Microsoft.ContainerRegistry/registries/agentPools/listQueueStatus", + "Microsoft.ContainerRegistry/registries/runs/listLogSasUrl", + "Microsoft.ContainerRegistry/registries/runs/cancel", + "Microsoft.ContainerRegistry/registries/tasks", + "Microsoft.ContainerRegistry/registries/tasks/listDetails", + "Microsoft.ContainerRegistry/registries/replications", + "Microsoft.ContainerRegistry/registries/webhooks", + "Microsoft.ContainerRegistry/registries/webhooks/ping", + "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig", + "Microsoft.ContainerRegistry/registries/webhooks/listEvents", + "Microsoft.ContainerRegistry/locations/operationResults", + "Microsoft.ContainerRegistry/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.ContainerRegistry/registries/listCredentials", + "Microsoft.ContainerRegistry/registries/regenerateCredential", + "Microsoft.ContainerRegistry/registries/listUsages", + "Microsoft.ContainerRegistry/registries/listPolicies", + "Microsoft.ContainerRegistry/registries/updatePolicies", + "Microsoft.ContainerRegistry/registries/eventGridFilters", + "Microsoft.ContainerRegistry/checkNameAvailability", + "Microsoft.ContainerRegistry/operations", + "Microsoft.ContainerRegistry/locations", + "Microsoft.StreamAnalytics/streamingjobs", + "Microsoft.StreamAnalytics/clusters", + "Microsoft.StreamAnalytics/clusters/privateEndpoints", + "Microsoft.StreamAnalytics/locations", + "Microsoft.StreamAnalytics/locations/quotas", + "Microsoft.StreamAnalytics/locations/testQuery", + "Microsoft.StreamAnalytics/locations/compileQuery", + "Microsoft.StreamAnalytics/locations/sampleInput", + "Microsoft.StreamAnalytics/locations/testInput", + "Microsoft.StreamAnalytics/locations/testOutput", + "Microsoft.StreamAnalytics/locations/operationResults", + "Microsoft.StreamAnalytics/operations", + "Microsoft.DataLakeAnalytics/accounts", + "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts/containers", + "Microsoft.DataLakeAnalytics/accounts/storageAccounts/containers/listSasTokens", + "Microsoft.DataLakeAnalytics/locations", + "Microsoft.DataLakeAnalytics/locations/operationresults", + "Microsoft.DataLakeAnalytics/locations/checkNameAvailability", + "Microsoft.DataLakeAnalytics/locations/capability", + "Microsoft.DataLakeAnalytics/locations/usages", + "Microsoft.DataLakeAnalytics/operations", + "Microsoft.Relay/namespaces", + "Microsoft.Relay/namespaces/authorizationrules", + "Microsoft.Relay/namespaces/privateEndpointConnections", + "Microsoft.Relay/namespaces/privateEndpointConnectionProxies", + "Microsoft.Relay/namespaces/hybridconnections", + "Microsoft.Relay/namespaces/hybridconnections/authorizationrules", + "Microsoft.Relay/namespaces/wcfrelays", + "Microsoft.Relay/namespaces/wcfrelays/authorizationrules", + "Microsoft.Relay/checkNameAvailability", + "Microsoft.Relay/operations", + "Microsoft.Relay/locations", + "Microsoft.Relay/locations/namespaceOperationResults", + "Microsoft.DevTestLab/labs/environments", + "Microsoft.DevTestLab/labs", + "Microsoft.DevTestLab/schedules", + "Microsoft.DevTestLab/labs/virtualMachines", + "Microsoft.DevTestLab/labs/serviceRunners", + "Microsoft.DevTestLab/operations", + "Microsoft.DevTestLab/locations", + "Microsoft.DevTestLab/locations/operations", + "Microsoft.EventHub/namespaces", + "Microsoft.EventHub/clusters", + "Microsoft.EventHub/namespaces/authorizationrules", + "Microsoft.EventHub/namespaces/networkrulesets", + "Microsoft.EventHub/namespaces/privateEndpointConnections", + "Microsoft.EventHub/namespaces/privateEndpointConnectionProxies", + "Microsoft.EventHub/namespaces/networkSecurityPerimeterConfigurations", + "Microsoft.EventHub/namespaces/networkSecurityPerimeterAssociationProxies", + "Microsoft.EventHub/namespaces/eventhubs", + "Microsoft.EventHub/namespaces/eventhubs/authorizationrules", + "Microsoft.EventHub/namespaces/eventhubs/consumergroups", + "Microsoft.EventHub/namespaces/applicationGroups", + "Microsoft.EventHub/checkNamespaceAvailability", + "Microsoft.EventHub/checkNameAvailability", + "Microsoft.EventHub/sku", + "Microsoft.EventHub/operations", + "Microsoft.EventHub/namespaces/disasterrecoveryconfigs", + "Microsoft.EventHub/namespaces/disasterrecoveryconfigs/checkNameAvailability", + "Microsoft.EventHub/locations", + "Microsoft.EventHub/locations/operationStatus", + "Microsoft.EventHub/locations/clusterOperationResults", + "Microsoft.EventHub/locations/namespaceOperationResults", + "Microsoft.EventHub/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.EventHub/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.EventHub/availableClusterRegions", + "Microsoft.AppPlatform/Spring", + "Microsoft.AppPlatform/Spring/operationResults", + "Microsoft.AppPlatform/Spring/operationStatuses", + "Microsoft.AppPlatform/Spring/apps", + "Microsoft.AppPlatform/Spring/apps/operationResults", + "Microsoft.AppPlatform/Spring/apps/operationStatuses", + "Microsoft.AppPlatform/Spring/apps/deployments", + "Microsoft.AppPlatform/Spring/apps/deployments/operationResults", + "Microsoft.AppPlatform/Spring/apps/deployments/operationStatuses", + "Microsoft.AppPlatform/Spring/configServers", + "Microsoft.AppPlatform/Spring/configServers/operationResults", + "Microsoft.AppPlatform/Spring/configServers/operationStatuses", + "Microsoft.AppPlatform/Spring/eurekaServers", + "Microsoft.AppPlatform/Spring/eurekaServers/operationResults", + "Microsoft.AppPlatform/Spring/eurekaServers/operationStatuses", + "Microsoft.AppPlatform/Spring/apps/domains", + "Microsoft.AppPlatform/Spring/apps/domains/operationResults", + "Microsoft.AppPlatform/Spring/apps/domains/operationStatuses", + "Microsoft.AppPlatform/locations/checkNameAvailability", + "Microsoft.AppPlatform/operations", + "Microsoft.AppPlatform/locations", + "Microsoft.AppPlatform/runtimeVersions", + "Microsoft.AppPlatform/locations/operationResults", + "Microsoft.AppPlatform/locations/operationStatus", + "Microsoft.CustomProviders/resourceProviders", + "Microsoft.CustomProviders/resourceProviders/operationResults", + "Microsoft.CustomProviders/resourceProviders/operationStatuses", + "Microsoft.CustomProviders/associations", + "Microsoft.CustomProviders/operations", + "Microsoft.CustomProviders/locations", + "Microsoft.CustomProviders/locations/operationStatuses", + "Microsoft.CustomProviders/locations/operationResults", + "Microsoft.DocumentDB/databaseAccounts", + "Microsoft.DocumentDB/databaseAccountNames", + "Microsoft.DocumentDB/operations", + "Microsoft.DocumentDB/operationResults", + "Microsoft.DocumentDB/operationsStatus", + "Microsoft.DocumentDB/locations/operationsStatus", + "Microsoft.DocumentDB/locations/operationResults", + "Microsoft.DocumentDB/locations", + "Microsoft.DocumentDB/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.DocumentDB/locations/restorableDatabaseAccounts", + "Microsoft.DocumentDB/restorableDatabaseAccounts", + "Microsoft.DocumentDB/cassandraClusters", + "Microsoft.DocumentDB/databaseAccounts/encryptionScopes", + "Microsoft.DocumentDB/mongoClusters", + "Microsoft.DocumentDB/locations/mongoClusterOperationResults", + "Microsoft.DocumentDB/locations/mongoClusterAzureAsyncOperation", + "Microsoft.DocumentDB/locations/checkMongoClusterNameAvailability", + "Microsoft.DocumentDB/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.DocumentDB/throughputPools", + "Microsoft.DocumentDB/throughputPools/throughputPoolAccounts", + "Microsoft.Maintenance/maintenanceConfigurations", + "Microsoft.Maintenance/updates", + "Microsoft.Maintenance/configurationAssignments", + "Microsoft.Maintenance/applyUpdates", + "Microsoft.Maintenance/publicMaintenanceConfigurations", + "Microsoft.Maintenance/operations", + "Microsoft.Sql/operations", + "Microsoft.Sql/locations", + "Microsoft.Sql/locations/capabilities", + "Microsoft.Sql/locations/databaseAzureAsyncOperation", + "Microsoft.Sql/locations/databaseOperationResults", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevalidateAzureAsyncOperation", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevalidateOperationResults", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevertAzureAsyncOperation", + "Microsoft.Sql/locations/databaseEncryptionProtectorRevertOperationResults", + "Microsoft.Sql/locations/serverKeyAzureAsyncOperation", + "Microsoft.Sql/locations/serverKeyOperationResults", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/locations/encryptionProtectorOperationResults", + "Microsoft.Sql/locations/encryptionProtectorAzureAsyncOperation", + "Microsoft.Sql/locations/externalPolicyBasedAuthorizationsAzureAsycOperation", + "Microsoft.Sql/locations/externalPolicyBasedAuthorizationsOperationResults", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusOperationResults", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusAzureAsyncOperation", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusMIOperationResults", + "Microsoft.Sql/locations/refreshExternalGovernanceStatusMIAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceKeyAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceKeyOperationResults", + "Microsoft.Sql/locations/managedInstanceEncryptionProtectorOperationResults", + "Microsoft.Sql/locations/managedInstanceEncryptionProtectorAzureAsyncOperation", + "Microsoft.Sql/locations/transparentDataEncryptionAzureAsyncOperation", + "Microsoft.Sql/locations/transparentDataEncryptionOperationResults", + "Microsoft.Sql/locations/managedtransparentDataEncryptionAzureAsyncOperation", + "Microsoft.Sql/locations/managedtransparentDataEncryptionOperationResults", + "Microsoft.Sql/servers/tdeCertificates", + "Microsoft.Sql/locations/tdeCertAzureAsyncOperation", + "Microsoft.Sql/locations/tdeCertOperationResults", + "Microsoft.Sql/locations/serverAzureAsyncOperation", + "Microsoft.Sql/locations/serverOperationResults", + "Microsoft.Sql/locations/usages", + "Microsoft.Sql/checkNameAvailability", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/serviceObjectives", + "Microsoft.Sql/servers/communicationLinks", + "Microsoft.Sql/servers/administrators", + "Microsoft.Sql/servers/administratorOperationResults", + "Microsoft.Sql/locations/serverAdministratorAzureAsyncOperation", + "Microsoft.Sql/locations/serverAdministratorOperationResults", + "Microsoft.Sql/servers/restorableDroppedDatabases", + "Microsoft.Sql/servers/recoverableDatabases", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/import", + "Microsoft.Sql/servers/importExportOperationResults", + "Microsoft.Sql/servers/operationResults", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies", + "Microsoft.Sql/servers/databaseSecurityPolicies", + "Microsoft.Sql/servers/automaticTuning", + "Microsoft.Sql/servers/databases/automaticTuning", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation", + "Microsoft.Sql/locations/ledgerDigestUploadsOperationResults", + "Microsoft.Sql/servers/recommendedElasticPools", + "Microsoft.Sql/servers/databases/dataMaskingPolicies", + "Microsoft.Sql/servers/databases/dataMaskingPolicies/rules", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/locations/auditingSettingsAzureAsyncOperation", + "Microsoft.Sql/locations/auditingSettingsOperationResults", + "Microsoft.Sql/locations/extendedAuditingSettingsAzureAsyncOperation", + "Microsoft.Sql/locations/extendedAuditingSettingsOperationResults", + "Microsoft.Sql/locations/devOpsAuditingSettingsOperationResults", + "Microsoft.Sql/locations/devOpsAuditingSettingsAzureAsyncOperation", + "Microsoft.Sql/locations/elasticPoolAzureAsyncOperation", + "Microsoft.Sql/locations/elasticPoolOperationResults", + "Microsoft.Sql/servers/elasticpools", + "Microsoft.Sql/servers/jobAccounts", + "Microsoft.Sql/servers/jobAgents", + "Microsoft.Sql/locations/jobAgentOperationResults", + "Microsoft.Sql/locations/jobAgentAzureAsyncOperation", + "Microsoft.Sql/servers/jobAgents/privateEndpoints", + "Microsoft.Sql/locations/jobAgentPrivateEndpointOperationResults", + "Microsoft.Sql/locations/jobAgentPrivateEndpointAzureAsyncOperation", + "Microsoft.Sql/servers/jobAgents/jobs", + "Microsoft.Sql/servers/jobAgents/jobs/steps", + "Microsoft.Sql/servers/jobAgents/jobs/executions", + "Microsoft.Sql/servers/disasterRecoveryConfiguration", + "Microsoft.Sql/servers/dnsAliases", + "Microsoft.Sql/locations/dnsAliasAsyncOperation", + "Microsoft.Sql/locations/dnsAliasOperationResults", + "Microsoft.Sql/servers/failoverGroups", + "Microsoft.Sql/locations/failoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/failoverGroupOperationResults", + "Microsoft.Sql/locations/firewallRulesOperationResults", + "Microsoft.Sql/locations/firewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/ipv6FirewallRulesOperationResults", + "Microsoft.Sql/locations/ipv6FirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.Sql/servers/virtualNetworkRules", + "Microsoft.Sql/locations/virtualNetworkRulesOperationResults", + "Microsoft.Sql/locations/virtualNetworkRulesAzureAsyncOperation", + "Microsoft.Sql/locations/deleteVirtualNetworkOrSubnetsOperationResults", + "Microsoft.Sql/locations/deleteVirtualNetworkOrSubnetsAzureAsyncOperation", + "Microsoft.Sql/locations/databaseRestoreAzureAsyncOperation", + "Microsoft.Sql/servers/usages", + "Microsoft.Sql/servers/databases/metricDefinitions", + "Microsoft.Sql/servers/databases/metrics", + "Microsoft.Sql/servers/aggregatedDatabaseMetrics", + "Microsoft.Sql/servers/elasticpools/metrics", + "Microsoft.Sql/servers/elasticpools/metricdefinitions", + "Microsoft.Sql/servers/databases/topQueries", + "Microsoft.Sql/servers/databases/topQueries/queryText", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/elasticPools/advisors", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/extensions", + "Microsoft.Sql/servers/elasticPoolEstimates", + "Microsoft.Sql/servers/databases/auditRecords", + "Microsoft.Sql/servers/databases/VulnerabilityAssessmentScans", + "Microsoft.Sql/servers/databases/workloadGroups", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments", + "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments", + "Microsoft.Sql/managedInstances/vulnerabilityAssessments", + "Microsoft.Sql/servers/databases/VulnerabilityAssessmentSettings", + "Microsoft.Sql/servers/databases/VulnerabilityAssessment", + "Microsoft.Sql/locations/vulnerabilityAssessmentScanAzureAsyncOperation", + "Microsoft.Sql/locations/vulnerabilityAssessmentScanOperationResults", + "Microsoft.Sql/servers/databases/sqlvulnerabilityassessments", + "Microsoft.Sql/servers/sqlvulnerabilityassessments", + "Microsoft.Sql/locations/sqlVulnerabilityAssessmentAzureAsyncOperation", + "Microsoft.Sql/locations/sqlVulnerabilityAssessmentOperationResults", + "Microsoft.Sql/servers/databases/recommendedSensitivityLabels", + "Microsoft.Sql/servers/databases/syncGroups", + "Microsoft.Sql/servers/databases/syncGroups/syncMembers", + "Microsoft.Sql/servers/syncAgents", + "Microsoft.Sql/instancePools", + "Microsoft.Sql/locations/importExportOperationResults", + "Microsoft.Sql/locations/importExportAzureAsyncOperation", + "Microsoft.Sql/locations/instancePoolOperationResults", + "Microsoft.Sql/locations/instancePoolAzureAsyncOperation", + "Microsoft.Sql/managedInstances", + "Microsoft.Sql/managedInstances/administrators", + "Microsoft.Sql/managedInstances/databases", + "Microsoft.Sql/managedInstances/recoverableDatabases", + "Microsoft.Sql/managedInstances/metrics", + "Microsoft.Sql/managedInstances/metricDefinitions", + "Microsoft.Sql/managedInstances/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/managedInstances/sqlAgent", + "Microsoft.Sql/managedInstances/startStopSchedules", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/managedInstancePrivateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionManagedInstances", + "Microsoft.Sql/locations/longTermRetentionManagedInstanceBackups", + "Microsoft.Sql/locations/managedInstanceLongTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedInstanceLongTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseOperationResults", + "Microsoft.Sql/locations/managedDatabaseRestoreAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseRestoreOperationResults", + "Microsoft.Sql/locations/managedDatabaseCompleteRestoreAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseCompleteRestoreOperationResults", + "Microsoft.Sql/locations/managedServerSecurityAlertPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/stopManagedInstanceAzureAsyncOperation", + "Microsoft.Sql/locations/stopManagedInstanceOperationResults", + "Microsoft.Sql/locations/startManagedInstanceAzureAsyncOperation", + "Microsoft.Sql/locations/startManagedInstanceOperationResults", + "Microsoft.Sql/managedInstances/tdeCertificates", + "Microsoft.Sql/locations/managedInstanceTdeCertAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceTdeCertOperationResults", + "Microsoft.Sql/locations/managedServerSecurityAlertPoliciesOperationResults", + "Microsoft.Sql/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/securityAlertPoliciesOperationResults", + "Microsoft.Sql/locations/advancedThreatProtectionAzureAsyncOperation", + "Microsoft.Sql/locations/advancedThreatProtectionOperationResults", + "Microsoft.Sql/locations/managedInstanceAdvancedThreatProtectionAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceAdvancedThreatProtectionOperationResults", + "Microsoft.Sql/managedInstances/dnsAliases", + "Microsoft.Sql/locations/managedDnsAliasAsyncOperation", + "Microsoft.Sql/locations/managedDnsAliasOperationResults", + "Microsoft.Sql/virtualClusters", + "Microsoft.Sql/locations/virtualClusterAzureAsyncOperation", + "Microsoft.Sql/locations/virtualClusterOperationResults", + "Microsoft.Sql/locations/updateManagedInstanceDnsServersAzureAsyncOperation", + "Microsoft.Sql/locations/updateManagedInstanceDnsServersOperationResults", + "Microsoft.Sql/locations/managedInstanceAzureAsyncOperation", + "Microsoft.Sql/locations/managedInstanceOperationResults", + "Microsoft.Sql/locations/distributedAvailabilityGroupsOperationResults", + "Microsoft.Sql/locations/distributedAvailabilityGroupsAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustCertificatesOperationResults", + "Microsoft.Sql/locations/serverTrustCertificatesAzureAsyncOperation", + "Microsoft.Sql/locations/administratorAzureAsyncOperation", + "Microsoft.Sql/locations/administratorOperationResults", + "Microsoft.Sql/locations/syncGroupOperationResults", + "Microsoft.Sql/locations/syncGroupAzureAsyncOperation", + "Microsoft.Sql/locations/syncMemberOperationResults", + "Microsoft.Sql/locations/syncAgentOperationResults", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/changeLongTermRetentionBackupAccessTierOperationResults", + "Microsoft.Sql/locations/changeLongTermRetentionBackupAccessTierAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/managedInstances/databases/ledgerDigestUploads", + "Microsoft.Sql/locations/managedLedgerDigestUploadsOperationResults", + "Microsoft.Sql/locations/managedLedgerDigestUploadsAzureAsyncOperation", + "Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation", + "Microsoft.Sql/servers/failoverGroups/tryPlannedBeforeForcedFailover", + "Microsoft.DBforMySQL/operations", + "Microsoft.DBforMySQL/servers", + "Microsoft.DBforMySQL/flexibleServers", + "Microsoft.DBforMySQL/servers/recoverableServers", + "Microsoft.DBforMySQL/servers/virtualNetworkRules", + "Microsoft.DBforMySQL/locations/capabilities", + "Microsoft.DBforMySQL/locations/capabilitySets", + "Microsoft.DBforMySQL/locations/checkNameAvailability", + "Microsoft.DBforMySQL/checkNameAvailability", + "Microsoft.DBforMySQL/assessForMigration", + "Microsoft.DBforMySQL/getPrivateDnsZoneSuffix", + "Microsoft.DBforMySQL/locations/checkVirtualNetworkSubnetUsage", + "Microsoft.DBforMySQL/locations/listMigrations", + "Microsoft.DBforMySQL/locations/updateMigration", + "Microsoft.DBforMySQL/locations", + "Microsoft.DBforMySQL/locations/operationResults", + "Microsoft.DBforMySQL/locations/operationProgress", + "Microsoft.DBforMySQL/locations/azureAsyncOperation", + "Microsoft.DBforMySQL/locations/administratorOperationResults", + "Microsoft.DBforMySQL/locations/administratorAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionOperationResults", + "Microsoft.DBforMySQL/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/performanceTiers", + "Microsoft.DBforMySQL/locations/securityAlertPoliciesAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/securityAlertPoliciesOperationResults", + "Microsoft.DBforMySQL/locations/recommendedActionSessionsAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/recommendedActionSessionsOperationResults", + "Microsoft.DBforMySQL/servers/topQueryStatistics", + "Microsoft.DBforMySQL/servers/queryTexts", + "Microsoft.DBforMySQL/servers/waitStatistics", + "Microsoft.DBforMySQL/servers/resetQueryPerformanceInsightData", + "Microsoft.DBforMySQL/servers/advisors", + "Microsoft.DBforMySQL/servers/privateLinkResources", + "Microsoft.DBforMySQL/servers/privateEndpointConnections", + "Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies", + "Microsoft.DBforMySQL/servers/keys", + "Microsoft.DBforMySQL/locations/serverKeyAzureAsyncOperation", + "Microsoft.DBforMySQL/locations/serverKeyOperationResults", + "Microsoft.DBforMySQL/servers/upgrade", + "Microsoft.CognitiveServices/accounts", + "Microsoft.CognitiveServices/operations", + "Microsoft.CognitiveServices/locations/operationResults", + "Microsoft.CognitiveServices/locations", + "Microsoft.CognitiveServices/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.CognitiveServices/locations/checkSkuAvailability", + "Microsoft.CognitiveServices/checkDomainAvailability", + "Microsoft.CognitiveServices/accounts/privateLinkResources", + "Microsoft.CognitiveServices/accounts/privateEndpointConnections", + "Microsoft.CognitiveServices/accounts/privateEndpointConnectionProxies", + "Microsoft.CognitiveServices/deletedAccounts", + "Microsoft.CognitiveServices/locations/resourceGroups", + "Microsoft.CognitiveServices/locations/resourceGroups/deletedAccounts", + "Microsoft.CognitiveServices/locations/commitmentTiers", + "Microsoft.CognitiveServices/locations/models", + "Microsoft.CognitiveServices/locations/usages", + "Microsoft.CognitiveServices/locations/raiContentFilters", + "Microsoft.CognitiveServices/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.CognitiveServices/accounts/networkSecurityPerimeterAssociationProxies", + "Microsoft.CognitiveServices/accounts/encryptionScopes", + "Microsoft.CognitiveServices/commitmentPlans", + "Microsoft.CognitiveServices/attestations", + "Microsoft.CognitiveServices/attestationDefinitions", + "Microsoft.Media/mediaservices", + "Microsoft.Media/mediaservices/assets", + "Microsoft.Media/mediaservices/assets/tracks", + "Microsoft.Media/mediaservices/assets/tracks/operationstatuses", + "Microsoft.Media/mediaservices/assets/tracks/operationResults", + "Microsoft.Media/mediaservices/contentKeyPolicies", + "Microsoft.Media/mediaservices/streamingLocators", + "Microsoft.Media/mediaservices/streamingPolicies", + "Microsoft.Media/mediaservices/eventGridFilters", + "Microsoft.Media/mediaservices/transforms", + "Microsoft.Media/mediaservices/transforms/jobs", + "Microsoft.Media/mediaservices/streamingEndpoints", + "Microsoft.Media/mediaservices/liveEvents", + "Microsoft.Media/mediaservices/liveEvents/liveOutputs", + "Microsoft.Media/mediaservices/streamingEndpointOperations", + "Microsoft.Media/mediaservices/liveEventOperations", + "Microsoft.Media/mediaservices/liveOutputOperations", + "Microsoft.Media/mediaservices/streamingendpoints/operationlocations", + "Microsoft.Media/mediaservices/liveevents/operationlocations", + "Microsoft.Media/mediaservices/liveevents/liveoutputs/operationlocations", + "Microsoft.Media/mediaservices/privateEndpointConnectionProxies", + "Microsoft.Media/mediaservices/privateEndpointConnections", + "Microsoft.Media/mediaservices/privateEndpointConnectionOperations", + "Microsoft.Media/locations/mediaServicesOperationStatuses", + "Microsoft.Media/locations/mediaServicesOperationResults", + "Microsoft.Media/mediaservices/assets/assetFilters", + "Microsoft.Media/mediaservices/accountFilters", + "Microsoft.Media/operations", + "Microsoft.Media/checknameavailability", + "Microsoft.Media/locations", + "Microsoft.Media/locations/checkNameAvailability", + "Microsoft.Web/publishingUsers", + "Microsoft.Web/ishostnameavailable", + "Microsoft.Web/validate", + "Microsoft.Web/isusernameavailable", + "Microsoft.Web/generateGithubAccessTokenForAppserviceCLI", + "Microsoft.Web/sourceControls", + "Microsoft.Web/availableStacks", + "Microsoft.Web/webAppStacks", + "Microsoft.Web/locations/webAppStacks", + "Microsoft.Web/functionAppStacks", + "Microsoft.Web/locations/functionAppStacks", + "Microsoft.Web/staticSites", + "Microsoft.Web/locations/previewStaticSiteWorkflowFile", + "Microsoft.Web/staticSites/userProvidedFunctionApps", + "Microsoft.Web/staticSites/linkedBackends", + "Microsoft.Web/staticSites/builds/linkedBackends", + "Microsoft.Web/staticSites/databaseConnections", + "Microsoft.Web/staticSites/builds/databaseConnections", + "Microsoft.Web/staticSites/builds", + "Microsoft.Web/staticSites/builds/userProvidedFunctionApps", + "Microsoft.Web/listSitesAssignedToHostName", + "Microsoft.Web/locations/getNetworkPolicies", + "Microsoft.Web/locations/operations", + "Microsoft.Web/locations/operationResults", + "Microsoft.Web/sites/networkConfig", + "Microsoft.Web/sites/slots/networkConfig", + "Microsoft.Web/sites/hostNameBindings", + "Microsoft.Web/sites/slots/hostNameBindings", + "Microsoft.Web/operations", + "Microsoft.Web/certificates", + "Microsoft.Web/serverFarms", + "Microsoft.Web/sites", + "Microsoft.Web/sites/slots", + "Microsoft.Web/runtimes", + "Microsoft.Web/recommendations", + "Microsoft.Web/resourceHealthMetadata", + "Microsoft.Web/aseregions", + "Microsoft.Web/georegions", + "Microsoft.Web/sites/premieraddons", + "Microsoft.Web/hostingEnvironments", + "Microsoft.Web/hostingEnvironments/multiRolePools", + "Microsoft.Web/hostingEnvironments/workerPools", + "Microsoft.Web/kubeEnvironments", + "Microsoft.Web/deploymentLocations", + "Microsoft.Web/deletedSites", + "Microsoft.Web/locations/deletedSites", + "Microsoft.Web/ishostingenvironmentnameavailable", + "Microsoft.Web/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.Web/locations/validateDeleteVirtualNetworkOrSubnets", + "Microsoft.Web/connections", + "Microsoft.Web/customApis", + "Microsoft.Web/locations", + "Microsoft.Web/locations/listWsdlInterfaces", + "Microsoft.Web/locations/extractApiDefinitionFromWsdl", + "Microsoft.Web/locations/managedApis", + "Microsoft.Web/locations/runtimes", + "Microsoft.Web/locations/apiOperations", + "Microsoft.Web/connectionGateways", + "Microsoft.Web/locations/connectionGatewayInstallations", + "Microsoft.Web/checkNameAvailability", + "Microsoft.Web/billingMeters", + "Microsoft.Web/verifyHostingEnvironmentVnet", + "Microsoft.Web/serverFarms/eventGridFilters", + "Microsoft.Web/sites/eventGridFilters", + "Microsoft.Web/sites/slots/eventGridFilters", + "Microsoft.Web/hostingEnvironments/eventGridFilters", + "Microsoft.Web/serverFarms/firstPartyApps", + "Microsoft.Web/serverFarms/firstPartyApps/keyVaultSettings", + "Microsoft.Web/containerApps", + "Microsoft.Web/customhostnameSites", + "Microsoft.Web/locations/usages", + "Microsoft.Search/searchServices", + "Microsoft.Search/checkServiceNameAvailability", + "Microsoft.Search/checkNameAvailability", + "Microsoft.Search/resourceHealthMetadata", + "Microsoft.Search/operations", + "Microsoft.Search/locations", + "Microsoft.Search/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Search/locations/usages", + "Microsoft.Search/locations/operationResults", + "Microsoft.DataLakeStore/accounts", + "Microsoft.DataLakeStore/accounts/firewallRules", + "Microsoft.DataLakeStore/accounts/eventGridFilters", + "Microsoft.DataLakeStore/locations", + "Microsoft.DataLakeStore/locations/operationresults", + "Microsoft.DataLakeStore/locations/checkNameAvailability", + "Microsoft.DataLakeStore/locations/capability", + "Microsoft.DataLakeStore/locations/usages", + "Microsoft.DataLakeStore/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.DataLakeStore/operations", + "Microsoft.DataMigration/locations", + "Microsoft.DataMigration/services", + "Microsoft.DataMigration/services/projects", + "Microsoft.DataMigration/locations/operationResults", + "Microsoft.DataMigration/locations/operationStatuses", + "Microsoft.DataMigration/locations/checkNameAvailability", + "Microsoft.DataMigration/operations", + "Microsoft.DataMigration/migrationServices", + "Microsoft.DataMigration/SqlMigrationServices", + "Microsoft.DataMigration/DatabaseMigrations", + "Microsoft.DataMigration/Locations/OperationTypes", + "Microsoft.DataMigration/locations/migrationServiceOperationResults", + "Microsoft.DataMigration/Locations/sqlMigrationServiceOperationResults", + "Microsoft.Kusto/clusters", + "Microsoft.Kusto/clusters/databases", + "Microsoft.Kusto/clusters/attacheddatabaseconfigurations", + "Microsoft.Kusto/clusters/principalassignments", + "Microsoft.Kusto/clusters/databases/eventhubconnections", + "Microsoft.Kusto/clusters/databases/dataconnections", + "Microsoft.Kusto/clusters/databases/principalassignments", + "Microsoft.Kusto/locations/operationResults", + "Microsoft.Kusto/locations", + "Microsoft.Kusto/locations/checkNameAvailability", + "Microsoft.Kusto/locations/skus", + "Microsoft.Kusto/operations", + "Microsoft.Kusto/clusters/databases/scripts", + "Microsoft.Kusto/clusters/managedPrivateEndpoints", + "Microsoft.Kusto/clusters/sandboxCustomImages", + "Microsoft.ApiManagement/service", + "Microsoft.ApiManagement/deletedServices", + "Microsoft.ApiManagement/locations", + "Microsoft.ApiManagement/locations/deletedServices", + "Microsoft.ApiManagement/validateServiceName", + "Microsoft.ApiManagement/checkServiceNameAvailability", + "Microsoft.ApiManagement/checkNameAvailability", + "Microsoft.ApiManagement/reportFeedback", + "Microsoft.ApiManagement/checkFeedbackRequired", + "Microsoft.ApiManagement/operations", + "Microsoft.ApiManagement/getDomainOwnershipIdentifier", + "Microsoft.ApiManagement/service/eventGridFilters", + "Microsoft.MixedReality/locations", + "Microsoft.MixedReality/locations/checkNameAvailability", + "Microsoft.MixedReality/operations", + "Microsoft.MixedReality/spatialAnchorsAccounts", + "Microsoft.MixedReality/remoteRenderingAccounts", + "Microsoft.MixedReality/objectAnchorsAccounts", + "Microsoft.Maps/accounts", + "Microsoft.Maps/accounts/creators", + "Microsoft.Maps/accounts/eventGridFilters", + "Microsoft.Maps/operations", + "Microsoft.AVS/locations", + "Microsoft.AVS/locations/checkQuotaAvailability", + "Microsoft.AVS/locations/checkTrialAvailability", + "Microsoft.AVS/locations/usages", + "Microsoft.AVS/operations", + "Microsoft.AVS/privateClouds", + "Microsoft.AVS/privateClouds/addons", + "Microsoft.AVS/privateClouds/authorizations", + "Microsoft.AVS/privateClouds/cloudLinks", + "Microsoft.AVS/privateClouds/clusters", + "Microsoft.AVS/privateClouds/clusters/datastores", + "Microsoft.AVS/privateClouds/clusters/placementPolicies", + "Microsoft.AVS/privateClouds/clusters/virtualMachines", + "Microsoft.AVS/privateClouds/eventGridFilters", + "Microsoft.AVS/privateClouds/globalReachConnections", + "Microsoft.AVS/privateClouds/hcxEnterpriseSites", + "Microsoft.AVS/privateClouds/scriptExecutions", + "Microsoft.AVS/privateClouds/scriptPackages", + "Microsoft.AVS/privateClouds/scriptPackages/scriptCmdlets", + "Microsoft.AVS/privateClouds/workloadNetworks", + "Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations", + "Microsoft.AVS/privateClouds/workloadNetworks/dnsServices", + "Microsoft.AVS/privateClouds/workloadNetworks/dnsZones", + "Microsoft.AVS/privateClouds/workloadNetworks/gateways", + "Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles", + "Microsoft.AVS/privateClouds/workloadNetworks/publicIPs", + "Microsoft.AVS/privateClouds/workloadNetworks/segments", + "Microsoft.AVS/privateClouds/workloadNetworks/virtualMachines", + "Microsoft.AVS/privateClouds/workloadNetworks/vmGroups", + "Microsoft.Blueprint/blueprints", + "Microsoft.Blueprint/blueprints/artifacts", + "Microsoft.Blueprint/blueprints/versions", + "Microsoft.Blueprint/blueprints/versions/artifacts", + "Microsoft.Blueprint/blueprintAssignments", + "Microsoft.Blueprint/blueprintAssignments/operations", + "Microsoft.Blueprint/blueprintAssignments/assignmentOperations", + "Microsoft.Blueprint/operations", + "Microsoft.HealthcareApis/services", + "Microsoft.HealthcareApis/services/privateEndpointConnectionProxies", + "Microsoft.HealthcareApis/services/privateEndpointConnections", + "Microsoft.HealthcareApis/services/privateLinkResources", + "Microsoft.HealthcareApis/services/iomtconnectors", + "Microsoft.HealthcareApis/services/iomtconnectors/connections", + "Microsoft.HealthcareApis/services/iomtconnectors/mappings", + "Microsoft.HealthcareApis/workspaces", + "Microsoft.HealthcareApis/workspaces/privateEndpointConnectionProxies", + "Microsoft.HealthcareApis/workspaces/privateEndpointConnections", + "Microsoft.HealthcareApis/workspaces/privateLinkResources", + "Microsoft.HealthcareApis/workspaces/dicomservices", + "Microsoft.HealthcareApis/workspaces/iotconnectors", + "Microsoft.HealthcareApis/workspaces/iotconnectors/fhirdestinations", + "Microsoft.HealthcareApis/workspaces/fhirservices", + "Microsoft.HealthcareApis/workspaces/eventGridFilters", + "Microsoft.HealthcareApis/locations", + "Microsoft.HealthcareApis/locations/operationresults", + "Microsoft.HealthcareApis/checkNameAvailability", + "Microsoft.HealthcareApis/operations", + "Microsoft.HealthcareApis/validateMedtechMappings", + "Microsoft.Advisor/suppressions", + "Microsoft.Advisor/configurations", + "Microsoft.Advisor/metadata", + "Microsoft.Advisor/recommendations", + "Microsoft.Advisor/generateRecommendations", + "Microsoft.Advisor/operations", + "Microsoft.Advisor/advisorScore", + "Microsoft.Advisor/predict", + "Microsoft.MarketplaceNotifications/reviewsnotifications", + "Microsoft.MarketplaceNotifications/operations", + "Microsoft.ServiceLinker/locations", + "Microsoft.ServiceLinker/locations/operationStatuses", + "Microsoft.ServiceLinker/operations", + "Microsoft.ServiceLinker/linkers", + "Microsoft.ServiceLinker/dryruns", + "Microsoft.ServiceLinker/locations/connectors", + "Microsoft.ServiceLinker/locations/dryruns", + "Microsoft.ServiceLinker/configurationNames", + "Microsoft.ServiceLinker/daprConfigurations", + "Microsoft.DataProtection/BackupVaults", + "Microsoft.DataProtection/ResourceGuards", + "Microsoft.DataProtection/operations", + "Microsoft.DataProtection/locations", + "Microsoft.DataProtection/locations/operationResults", + "Microsoft.DataProtection/locations/operationStatus", + "Microsoft.DataProtection/locations/checkNameAvailability", + "Microsoft.DataProtection/locations/checkFeatureSupport", + "Microsoft.DataProtection/backupInstances", + "Microsoft.DataProtection/locations/fetchSecondaryRecoveryPoints", + "Microsoft.DataProtection/locations/fetchCrossRegionRestoreJobs", + "Microsoft.DataProtection/locations/fetchCrossRegionRestoreJob", + "Microsoft.DataProtection/locations/validateCrossRegionRestore", + "Microsoft.DataProtection/locations/crossRegionRestore", + "Microsoft.Consumption/Forecasts", + "Microsoft.Consumption/AggregatedCost", + "Microsoft.Consumption/tenants", + "Microsoft.Consumption/ReservationRecommendations", + "Microsoft.Consumption/ReservationRecommendationDetails", + "Microsoft.Consumption/ReservationSummaries", + "Microsoft.Consumption/ReservationTransactions", + "Microsoft.Consumption/Balances", + "Microsoft.Consumption/Marketplaces", + "Microsoft.Consumption/Pricesheets", + "Microsoft.Consumption/ReservationDetails", + "Microsoft.Consumption/Budgets", + "Microsoft.Consumption/CostTags", + "Microsoft.Consumption/Tags", + "Microsoft.Consumption/Terms", + "Microsoft.Consumption/UsageDetails", + "Microsoft.Consumption/Charges", + "Microsoft.Consumption/credits", + "Microsoft.Consumption/events", + "Microsoft.Consumption/lots", + "Microsoft.Consumption/products", + "Microsoft.Consumption/OperationStatus", + "Microsoft.Consumption/OperationResults", + "Microsoft.Consumption/Operations", + "Microsoft.GuestConfiguration/guestConfigurationAssignments", + "Microsoft.GuestConfiguration/operations", + "Astronomer.Astro/locations", + "Astronomer.Astro/operations", + "Astronomer.Astro/organizations", + "Astronomer.Astro/locations/operationStatuses", + "Dynatrace.Observability/operations", + "Dynatrace.Observability/registeredSubscriptions", + "Dynatrace.Observability/locations", + "Dynatrace.Observability/locations/operationStatuses", + "Dynatrace.Observability/monitors", + "Dynatrace.Observability/monitors/tagRules", + "Dynatrace.Observability/monitors/singleSignOnConfigurations", + "Dynatrace.Observability/checkNameAvailability", + "Dynatrace.Observability/getMarketplaceSaaSResourceDetails", + "GitHub.Network/Operations", + "GitHub.Network/networkSettings", + "GitHub.Network/registeredSubscriptions", + "Microsoft.AAD/DomainServices", + "Microsoft.AAD/DomainServices/oucontainer", + "Microsoft.AAD/locations", + "Microsoft.AAD/locations/operationresults", + "Microsoft.AAD/operations", + "Microsoft.AadCustomSecurityAttributesDiagnosticSettings/operations", + "Microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticSettings", + "Microsoft.AadCustomSecurityAttributesDiagnosticSettings/diagnosticSettingsCategories", + "microsoft.aadiam/azureADMetrics", + "microsoft.aadiam/privateLinkForAzureAD", + "microsoft.aadiam/tenants", + "microsoft.aadiam/operations", + "microsoft.aadiam/diagnosticSettings", + "microsoft.aadiam/diagnosticSettingsCategories", + "Microsoft.Addons/supportProviders", + "Microsoft.Addons/operations", + "Microsoft.Addons/operationResults", + "Microsoft.ADHybridHealthService/services", + "Microsoft.ADHybridHealthService/addsservices", + "Microsoft.ADHybridHealthService/configuration", + "Microsoft.ADHybridHealthService/operations", + "Microsoft.ADHybridHealthService/agents", + "Microsoft.ADHybridHealthService/aadsupportcases", + "Microsoft.ADHybridHealthService/reports", + "Microsoft.ADHybridHealthService/servicehealthmetrics", + "Microsoft.ADHybridHealthService/logs", + "Microsoft.ADHybridHealthService/anonymousapiusers", + "Microsoft.AgFoodPlatform/operations", + "Microsoft.AgFoodPlatform/farmBeatsExtensionDefinitions", + "Microsoft.AgFoodPlatform/farmBeatsSolutionDefinitions", + "Microsoft.AgFoodPlatform/checkNameAvailability", + "Microsoft.AgFoodPlatform/locations", + "Microsoft.AksHybrid/locations", + "Microsoft.AnalysisServices/servers", + "Microsoft.AnalysisServices/locations", + "Microsoft.AnalysisServices/locations/checkNameAvailability", + "Microsoft.AnalysisServices/locations/operationresults", + "Microsoft.AnalysisServices/locations/operationstatuses", + "Microsoft.AnalysisServices/operations", + "Microsoft.AnyBuild/Locations", + "Microsoft.AnyBuild/Locations/OperationStatuses", + "Microsoft.AnyBuild/clusters", + "Microsoft.AnyBuild/Operations", + "Microsoft.ApiCenter/services", + "Microsoft.ApiCenter/operations", + "Microsoft.ApiCenter/services/eventGridFilters", + "Microsoft.ApiSecurity/Locations", + "Microsoft.ApiSecurity/Locations/OperationStatuses", + "Microsoft.ApiSecurity/Operations", + "Microsoft.ApiSecurity/apiCollections", + "Microsoft.ApiSecurity/apiCollections/apiCollectionDetails", + "Microsoft.ApiSecurity/apiCollectionsMeta", + "Microsoft.ApiSecurity/apiCollectionsMeta/apiCollectionMetaDetails", + "Microsoft.App/managedEnvironments", + "Microsoft.App/managedEnvironments/certificates", + "Microsoft.App/managedEnvironments/managedCertificates", + "Microsoft.App/containerApps", + "Microsoft.App/jobs", + "Microsoft.App/locations", + "Microsoft.App/locations/managedEnvironmentOperationResults", + "Microsoft.App/locations/managedEnvironmentOperationStatuses", + "Microsoft.App/locations/containerappOperationResults", + "Microsoft.App/locations/containerappOperationStatuses", + "Microsoft.App/locations/containerappsjobOperationResults", + "Microsoft.App/locations/containerappsjobOperationStatuses", + "Microsoft.App/locations/sourceControlOperationResults", + "Microsoft.App/locations/sourceControlOperationStatuses", + "Microsoft.App/locations/usages", + "Microsoft.App/operations", + "Microsoft.App/connectedEnvironments", + "Microsoft.App/connectedEnvironments/certificates", + "Microsoft.App/locations/connectedEnvironmentOperationResults", + "Microsoft.App/locations/connectedEnvironmentOperationStatuses", + "Microsoft.App/locations/managedCertificateOperationStatuses", + "Microsoft.App/locations/billingMeters", + "Microsoft.App/locations/availableManagedEnvironmentsWorkloadProfileTypes", + "Microsoft.App/getCustomDomainVerificationId", + "Microsoft.App/builders", + "Microsoft.App/builders/builds", + "Microsoft.App/locations/OperationResults", + "Microsoft.App/locations/OperationStatuses", + "Microsoft.App/managedEnvironments/dotNetComponents", + "Microsoft.App/managedEnvironments/javaComponents", + "Microsoft.App/managedEnvironments/daprComponents", + "Microsoft.AppAssessment/Locations", + "Microsoft.AppAssessment/operations", + "Microsoft.AppAssessment/Locations/OperationStatuses", + "Microsoft.AppAssessment/Locations/osVersions", + "Microsoft.AppComplianceAutomation/operations", + "Microsoft.AppComplianceAutomation/locations", + "Microsoft.AppComplianceAutomation/locations/operationStatuses", + "Microsoft.AppComplianceAutomation/reports", + "Microsoft.AppComplianceAutomation/reports/snapshots", + "Microsoft.AppComplianceAutomation/onboard", + "Microsoft.AppComplianceAutomation/triggerEvaluation", + "Microsoft.AppComplianceAutomation/reports/webhooks", + "Microsoft.AppComplianceAutomation/reports/evidences", + "Microsoft.AppComplianceAutomation/listInUseStorageAccounts", + "Microsoft.AppComplianceAutomation/checkNameAvailability", + "Microsoft.AppComplianceAutomation/getCollectionCount", + "Microsoft.AppComplianceAutomation/getOverviewStatus", + "Microsoft.AppComplianceAutomation/reports/scopingConfigurations", + "Microsoft.AppConfiguration/configurationStores", + "Microsoft.AppConfiguration/configurationStores/keyValues", + "Microsoft.AppConfiguration/configurationStores/eventGridFilters", + "Microsoft.AppConfiguration/checkNameAvailability", + "Microsoft.AppConfiguration/locations/checkNameAvailability", + "Microsoft.AppConfiguration/locations", + "Microsoft.AppConfiguration/locations/operationsStatus", + "Microsoft.AppConfiguration/operations", + "Microsoft.AppConfiguration/deletedConfigurationStores", + "Microsoft.AppConfiguration/locations/deletedConfigurationStores", + "Microsoft.AppConfiguration/configurationStores/replicas", + "Microsoft.AppConfiguration/configurationStores/snapshots", + "Microsoft.AppConfiguration/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.AppSecurity/operationStatuses", + "Microsoft.ArcNetworking/locations", + "Microsoft.ArcNetworking/locations/operationStatuses", + "Microsoft.ArcNetworking/arcNwLoadBalancers", + "Microsoft.Attestation/attestationProviders", + "Microsoft.Attestation/defaultProviders", + "Microsoft.Attestation/locations", + "Microsoft.Attestation/locations/defaultProvider", + "Microsoft.Attestation/operations", + "Microsoft.Authorization/roleAssignmentScheduleRequests", + "Microsoft.Authorization/roleEligibilityScheduleRequests", + "Microsoft.Authorization/roleAssignmentSchedules", + "Microsoft.Authorization/roleEligibilitySchedules", + "Microsoft.Authorization/roleAssignmentScheduleInstances", + "Microsoft.Authorization/roleEligibilityScheduleInstances", + "Microsoft.Authorization/roleManagementPolicies", + "Microsoft.Authorization/roleManagementPolicyAssignments", + "Microsoft.Authorization/eligibleChildResources", + "Microsoft.Authorization/roleManagementAlerts", + "Microsoft.Authorization/roleManagementAlertConfigurations", + "Microsoft.Authorization/roleManagementAlertDefinitions", + "Microsoft.Authorization/roleManagementAlertOperations", + "Microsoft.Authorization/roleAssignments", + "Microsoft.Authorization/roleDefinitions", + "Microsoft.Authorization/classicAdministrators", + "Microsoft.Authorization/permissions", + "Microsoft.Authorization/denyAssignments", + "Microsoft.Authorization/locks", + "Microsoft.Authorization/operations", + "Microsoft.Authorization/policyDefinitions", + "Microsoft.Authorization/policyDefinitions/versions", + "Microsoft.Authorization/policySetDefinitions", + "Microsoft.Authorization/policySetDefinitions/versions", + "Microsoft.Authorization/policyAssignments", + "Microsoft.Authorization/policyExemptions", + "Microsoft.Authorization/listPolicyDefinitionVersions", + "Microsoft.Authorization/listPolicySetDefinitionVersions", + "Microsoft.Authorization/dataAliases", + "Microsoft.Authorization/dataPolicyManifests", + "Microsoft.Authorization/providerOperations", + "Microsoft.Authorization/elevateAccess", + "Microsoft.Authorization/checkAccess", + "Microsoft.Authorization/batchResourceCheckAccess", + "Microsoft.Authorization/findOrphanRoleAssignments", + "Microsoft.Authorization/roleAssignmentsUsageMetrics", + "Microsoft.Authorization/accessReviewScheduleDefinitions", + "Microsoft.Authorization/accessReviewScheduleSettings", + "Microsoft.Authorization/accessReviewHistoryDefinitions", + "Microsoft.Authorization/roleAssignmentApprovals", + "Microsoft.Authorization/privateLinkAssociations", + "Microsoft.Authorization/resourceManagementPrivateLinks", + "Microsoft.Authorization/EnablePrivateLinkNetworkAccess", + "Microsoft.Authorization/operationStatus", + "Microsoft.Authorization/diagnosticSettings", + "Microsoft.Authorization/diagnosticSettingsCategories", + "Microsoft.Automanage/configurationProfileAssignments", + "Microsoft.Automanage/configurationProfiles", + "Microsoft.Automanage/configurationProfiles/versions", + "Microsoft.Automanage/bestPractices", + "Microsoft.Automanage/bestPractices/versions", + "Microsoft.Automanage/operations", + "Microsoft.Automanage/servicePrincipals", + "Microsoft.AutonomousDevelopmentPlatform/operations", + "Microsoft.AutonomousDevelopmentPlatform/locations", + "Microsoft.AutonomousDevelopmentPlatform/locations/operationstatuses", + "Microsoft.AutonomousDevelopmentPlatform/checknameavailability", + "Microsoft.AutonomousDevelopmentPlatform/workspaces/eventgridfilters", + "Microsoft.AwsConnector/Locations", + "Microsoft.AwsConnector/Operations", + "Microsoft.AzureActiveDirectory/ciamDirectories", + "Microsoft.AzureActiveDirectory/guestUsages", + "Microsoft.AzureActiveDirectory/b2cDirectories", + "Microsoft.AzureActiveDirectory/checkNameAvailability", + "Microsoft.AzureActiveDirectory/operations", + "Microsoft.AzureActiveDirectory/b2ctenants", + "Microsoft.AzureActiveDirectory/operationStatuses", + "Microsoft.AzureArcData/Locations", + "Microsoft.AzureArcData/Locations/OperationStatuses", + "Microsoft.AzureArcData/DataControllers", + "Microsoft.AzureArcData/SqlManagedInstances", + "Microsoft.AzureArcData/PostgresInstances", + "Microsoft.AzureArcData/SqlServerInstances", + "Microsoft.AzureArcData/Operations", + "Microsoft.AzureArcData/DataControllers/ActiveDirectoryConnectors", + "Microsoft.AzureArcData/SqlServerInstances/Databases", + "Microsoft.AzureArcData/SqlManagedInstances/FailoverGroups", + "Microsoft.AzureArcData/SqlServerInstances/AvailabilityGroups", + "Microsoft.AzureFleet/locations", + "Microsoft.AzureLargeInstance/azureLargeInstances", + "Microsoft.AzureLargeInstance/azureLargeStorageInstances", + "Microsoft.AzureLargeInstance/locations", + "Microsoft.AzureLargeInstance/locations/operationsStatus", + "Microsoft.AzureLargeInstance/operations", + "Microsoft.AzurePercept/checkNameAvailability", + "Microsoft.AzurePercept/operations", + "Microsoft.AzurePlaywrightService/operations", + "Microsoft.AzurePlaywrightService/checkNameAvailability", + "Microsoft.AzurePlaywrightService/Locations", + "Microsoft.AzurePlaywrightService/Locations/OperationStatuses", + "Microsoft.AzurePlaywrightService/accounts", + "Microsoft.AzurePlaywrightService/registeredSubscriptions", + "Microsoft.AzurePlaywrightService/Locations/Quotas", + "Microsoft.AzureScan/scanningAccounts", + "Microsoft.AzureScan/locations", + "Microsoft.AzureScan/locations/OperationStatuses", + "Microsoft.AzureScan/Operations", + "Microsoft.AzureScan/checkNameAvailability", + "Microsoft.AzureSphere/catalogs", + "Microsoft.AzureSphere/catalogs/products", + "Microsoft.AzureSphere/catalogs/products/devicegroups", + "Microsoft.AzureSphere/locations", + "Microsoft.AzureSphere/catalogs/certificates", + "Microsoft.AzureSphere/catalogs/images", + "Microsoft.AzureSphere/operations", + "Microsoft.AzureSphere/locations/operationStatuses", + "Microsoft.AzureSphere/catalogs/products/devicegroups/devices", + "Microsoft.AzureSphere/catalogs/products/devicegroups/deployments", + "Microsoft.AzureStack/operations", + "Microsoft.AzureStack/registrations", + "Microsoft.AzureStack/registrations/products", + "Microsoft.AzureStack/registrations/customerSubscriptions", + "Microsoft.AzureStack/cloudManifestFiles", + "Microsoft.AzureStack/linkedSubscriptions", + "Microsoft.AzureStack/generateDeploymentLicense", + "Microsoft.AzureStackHCI/operations", + "Microsoft.AzureStackHCI/locations", + "Microsoft.AzureStackHCI/locations/operationstatuses", + "Microsoft.AzureStackHCI/galleryImages", + "Microsoft.AzureStackHCI/networkInterfaces", + "Microsoft.AzureStackHCI/virtualMachines", + "Microsoft.AzureStackHCI/virtualNetworks", + "Microsoft.AzureStackHCI/virtualHardDisks", + "Microsoft.AzureStackHCI/clusters", + "Microsoft.AzureStackHCI/clusters/arcSettings", + "Microsoft.AzureStackHCI/clusters/arcSettings/extensions", + "Microsoft.AzureStackHCI/virtualMachines/extensions", + "Microsoft.AzureStackHCI/virtualMachines/hybrididentitymetadata", + "Microsoft.AzureStackHCI/clusters/publishers", + "Microsoft.AzureStackHCI/clusters/offers", + "Microsoft.AzureStackHCI/clusters/publishers/offers", + "Microsoft.AzureStackHCI/clusters/publishers/offers/skus", + "Microsoft.AzureStackHCI/marketplaceGalleryImages", + "Microsoft.AzureStackHCI/storageContainers", + "Microsoft.AzureStackHCI/clusters/updates", + "Microsoft.AzureStackHCI/clusters/updates/updateRuns", + "Microsoft.AzureStackHCI/clusters/updateSummaries", + "Microsoft.AzureStackHCI/registeredSubscriptions", + "Microsoft.AzureStackHCI/virtualMachineInstances", + "Microsoft.AzureStackHCI/clusters/deploymentSettings", + "Microsoft.AzureStackHCI/edgeDevices", + "Microsoft.AzureStackHCI/logicalNetworks", + "Microsoft.AzureStackHCI/clusters/securitySettings", + "Microsoft.BackupSolutions/VMwareApplications", + "Microsoft.BackupSolutions/locations", + "Microsoft.BackupSolutions/locations/operationstatuses", + "Microsoft.BackupSolutions/operations", + "Microsoft.BareMetal/bareMetalConnections", + "Microsoft.BareMetal/operations", + "Microsoft.BareMetal/locations", + "Microsoft.BareMetal/locations/operationResults", + "Microsoft.BareMetal/utilization", + "Microsoft.BareMetalInfrastructure/bareMetalInstances", + "Microsoft.BareMetalInfrastructure/bareMetalStorageInstances", + "Microsoft.BareMetalInfrastructure/locations", + "Microsoft.BareMetalInfrastructure/locations/operationsStatus", + "Microsoft.BareMetalInfrastructure/operations", + "Microsoft.Batch/batchAccounts", + "Microsoft.Batch/batchAccounts/pools", + "Microsoft.Batch/batchAccounts/detectors", + "Microsoft.Batch/batchAccounts/certificates", + "Microsoft.Batch/batchAccounts/operationResults", + "Microsoft.Batch/batchAccounts/poolOperationResults", + "Microsoft.Batch/batchAccounts/certificateOperationResults", + "Microsoft.Batch/batchAccounts/privateEndpointConnectionProxyResults", + "Microsoft.Batch/batchAccounts/privateEndpointConnectionResults", + "Microsoft.Batch/operations", + "Microsoft.Batch/locations", + "Microsoft.Batch/locations/quotas", + "Microsoft.Batch/locations/checkNameAvailability", + "Microsoft.Batch/locations/accountOperationResults", + "Microsoft.Batch/locations/virtualMachineSkus", + "Microsoft.Batch/locations/cloudServiceSkus", + "Microsoft.Billing/billingPeriods", + "Microsoft.Billing/invoices", + "Microsoft.Billing/enrollmentAccounts", + "Microsoft.Billing/permissionRequests", + "Microsoft.Billing/billingAccounts/permissionRequests", + "Microsoft.Billing/billingAccounts/associatedTenants", + "Microsoft.Billing/billingRoleDefinitions", + "Microsoft.Billing/billingRoleAssignments", + "Microsoft.Billing/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/signAgreement", + "Microsoft.Billing/billingAccounts/previewAgreements", + "Microsoft.Billing/billingAccounts/billingProfiles/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/createBillingRoleAssignment", + "Microsoft.Billing/billingAccounts/customers/createBillingRoleAssignment", + "Microsoft.Billing/billingPermissions", + "Microsoft.Billing/billingAccounts/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingPermissions", + "Microsoft.Billing/billingAccounts", + "Microsoft.Billing/billingAccounts/billingProfilesSummaries", + "Microsoft.Billing/billingAccounts/billingProfiles/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/billingPermissions", + "Microsoft.Billing/billingAccounts/customers", + "Microsoft.Billing/billingAccounts/billingProfiles/customers", + "Microsoft.Billing/billingAccounts/billingProfiles/instructions", + "Microsoft.Billing/billingAccounts/customers/billingSubscriptions", + "Microsoft.Billing/billingAccounts/customers/products", + "Microsoft.Billing/billingAccounts/customers/transactions", + "Microsoft.Billing/billingAccounts/invoiceSections", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingPermissions", + "Microsoft.Billing/billingAccounts/customers/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/customers/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/customers/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/customers/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/customers/billingPermissions", + "Microsoft.Billing/billingAccounts/billingProfiles/customers/billingPermissions", + "Microsoft.Billing/billingAccounts/invoiceSections/elevate", + "Microsoft.Billing/billingAccounts/createInvoiceSectionOperations", + "Microsoft.Billing/billingAccounts/patchOperations", + "Microsoft.Billing/billingAccounts/invoiceSections/patchOperations", + "Microsoft.Billing/billingAccounts/invoiceSections/productMoveOperations", + "Microsoft.Billing/billingAccounts/invoiceSections/billingSubscriptionMoveOperations", + "Microsoft.Billing/billingAccounts/listInvoiceSectionsWithCreateSubscriptionPermission", + "Microsoft.Billing/billingAccounts/billingProfiles", + "Microsoft.Billing/billingAccounts/BillingProfiles/patchOperations", + "Microsoft.Billing/departments", + "Microsoft.Billing/billingAccounts/departments", + "Microsoft.Billing/billingAccounts/billingProfiles/departments", + "Microsoft.Billing/billingAccounts/notificationContacts", + "Microsoft.Billing/billingAccounts/billingProfiles/notificationContacts", + "Microsoft.Billing/billingAccounts/departments/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/departments/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/departments/billingPermissions", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingPermissions", + "Microsoft.Billing/billingAccounts/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/departments/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/enrollmentAccounts", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingRoleDefinitions", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingRoleAssignments", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingPermissions", + "Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/billingPermissions", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/billingSubscriptions", + "Microsoft.Billing/billingAccounts/departments/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/paymentMethods", + "Microsoft.Billing/billingAccounts/availableBalance", + "Microsoft.Billing/billingAccounts/billingProfiles/availableBalance", + "Microsoft.Billing/billingAccounts/invoices", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices", + "Microsoft.Billing/billingAccounts/transactions", + "Microsoft.Billing/billingAccounts/billingProfiles/transactions", + "Microsoft.Billing/billingAccounts/invoiceSections/transactions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/transactions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices/transactions", + "Microsoft.Billing/billingAccounts/invoices/transactions", + "Microsoft.Billing/billingAccounts/invoices/summary", + "Microsoft.Billing/billingAccounts/billingProfiles/validateDeleteBillingProfileEligibility", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/validateDeleteInvoiceSectionEligibility", + "Microsoft.Billing/billingAccounts/invoices/transactionSummary", + "Microsoft.Billing/billingAccounts/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingSubscriptionAliases", + "Microsoft.Billing/billingAccounts/billingSubscriptions/invoices", + "Microsoft.Billing/billingAccounts/billingSubscriptions/policies", + "Microsoft.Billing/billingAccounts/billingProfiles/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/departments/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/enrollmentAccounts/billingSubscriptions", + "Microsoft.Billing/billingAccounts/invoiceSections/billingSubscriptions", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/billingSubscriptions", + "Microsoft.Billing/billingAccounts/invoiceSections/products", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products", + "Microsoft.Billing/billingAccounts/invoiceSections/products/updateAutoRenew", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/updateAutoRenew", + "Microsoft.Billing/billingAccounts/billingProfiles/products", + "Microsoft.Billing/billingAccounts/products", + "Microsoft.Billing/operations", + "Microsoft.Billing/billingAccounts/invoiceSections/initiateTransfer", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/initiateTransfer", + "Microsoft.Billing/billingAccounts/invoiceSections/transfers", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/transfers", + "Microsoft.Billing/transfers/acceptTransfer", + "Microsoft.Billing/transfers", + "Microsoft.Billing/transfers/declineTransfer", + "Microsoft.Billing/transfers/validateTransfer", + "Microsoft.Billing/billingAccounts/customers/initiateTransfer", + "Microsoft.Billing/billingAccounts/customers/transfers", + "Microsoft.Billing/billingAccounts/customers/transferSupportedAccounts", + "Microsoft.Billing/billingProperty", + "Microsoft.Billing/policies", + "Microsoft.Billing/billingAccounts/policies", + "Microsoft.Billing/billingAccounts/billingProfiles/policies", + "Microsoft.Billing/billingAccounts/customers/policies", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices/pricesheet", + "Microsoft.Billing/billingAccounts/billingProfiles/pricesheet", + "Microsoft.Billing/billingAccounts/invoiceSections/billingSubscriptions/transfer", + "Microsoft.Billing/billingAccounts/invoiceSections/products/transfer", + "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections/products/transfer", + "Microsoft.Billing/billingAccounts/invoiceSections/productTransfersResults", + "Microsoft.Billing/billingAccounts/agreements", + "Microsoft.Billing/billingAccounts/lineOfCredit", + "Microsoft.Billing/billingAccounts/paymentMethods", + "Microsoft.Billing/paymentMethods", + "Microsoft.Billing/billingAccounts/billingProfiles/paymentMethodLinks", + "Microsoft.Billing/billingAccounts/payableOverage", + "Microsoft.Billing/billingAccounts/payNow", + "Microsoft.Billing/billingAccounts/reservationOrders", + "Microsoft.Billing/billingAccounts/reservationOrders/reservations", + "Microsoft.Billing/billingAccounts/reservations", + "Microsoft.Billing/billingAccounts/billingProfiles/reservations", + "Microsoft.Billing/billingAccounts/billingProfiles/validateDetachPaymentMethodEligibility", + "Microsoft.Billing/validateAddress", + "Microsoft.Billing/promotions", + "Microsoft.Billing/promotions/checkeligibility", + "Microsoft.Billing/billingAccounts/billingSubscriptions/elevateRole", + "Microsoft.Billing/billingAccounts/appliedReservationOrders", + "Microsoft.Billing/promotionalCredits", + "Microsoft.Billing/billingAccounts/promotionalCredits", + "Microsoft.Billing/billingAccounts/savingsPlanOrders/savingsPlans", + "Microsoft.Billing/billingAccounts/savingsPlanOrders", + "Microsoft.Billing/billingAccounts/savingsPlans", + "Microsoft.Billing/billingAccounts/alerts", + "Microsoft.Billing/billingAccounts/billingProfiles/alerts", + "Microsoft.Billing/billingAccounts/listProductRecommendations", + "Microsoft.Billing/billingAccounts/incentiveSchedules", + "Microsoft.Billing/billingAccounts/incentiveSchedules/milestones", + "Microsoft.Billing/operationStatus", + "Microsoft.Billing/transfers/operationStatus", + "Microsoft.Billing/operationResults", + "Microsoft.Billing/billingAccounts/operationResults", + "Microsoft.Billing/billingAccounts/billingProfiles/invoices/operationResults", + "Microsoft.Billing/billingAccounts/billingProfiles/pricesheetDownloadOperations", + "Microsoft.Billing/billingAccounts/billingSubscriptions/operationResults", + "Microsoft.Billing/billingAccounts/billingSubscriptions/invoices/operationResults", + "Microsoft.Billing/billingAccounts/enrollmentAccounts/activationStatus", + "Microsoft.Billing/billingAccounts/invoices/operationResults", + "Microsoft.Billing/promotionalCredits/operationResults", + "Microsoft.Billing/billingAccounts/addresses", + "Microsoft.BillingBenefits/savingsPlanOrders", + "Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans", + "Microsoft.BillingBenefits/savingsPlanOrders/return", + "Microsoft.BillingBenefits/validate", + "Microsoft.BillingBenefits/calculateMigrationCost", + "Microsoft.BillingBenefits/operationResults", + "Microsoft.BillingBenefits/operations", + "Microsoft.BillingBenefits/savingsPlanOrderAliases", + "Microsoft.BillingBenefits/reservationOrderAliases", + "Microsoft.BillingBenefits/savingsPlans", + "Microsoft.BillingBenefits/incentiveSchedules", + "Microsoft.BillingBenefits/incentiveSchedules/milestones", + "Microsoft.BillingBenefits/maccs", + "Microsoft.BillingBenefits/maccs/contributors", + "Microsoft.BillingBenefits/listSellerResources", + "Microsoft.BillingBenefits/credits", + "Microsoft.Bing/locations", + "Microsoft.Bing/accounts/skus", + "Microsoft.Bing/accounts/usages", + "Microsoft.Bing/registeredSubscriptions", + "Microsoft.Bing/operations", + "Microsoft.Bing/locations/operationStatuses", + "Microsoft.Bing/accounts", + "Microsoft.BlockchainTokens/Operations", + "Microsoft.Capacity/resourceProviders", + "Microsoft.Capacity/resourceProviders/locations", + "Microsoft.Capacity/resourceProviders/locations/serviceLimits", + "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests", + "Microsoft.Capacity/resources", + "Microsoft.Capacity/reservationOrders", + "Microsoft.Capacity/reservationOrders/reservations", + "Microsoft.Capacity/listbenefits", + "Microsoft.Capacity/reservations", + "Microsoft.Capacity/reservationOrders/reservations/revisions", + "Microsoft.Capacity/operations", + "Microsoft.Capacity/catalogs", + "Microsoft.Capacity/appliedReservations", + "Microsoft.Capacity/checkOffers", + "Microsoft.Capacity/checkScopes", + "Microsoft.Capacity/calculatePrice", + "Microsoft.Capacity/calculateExchange", + "Microsoft.Capacity/exchange", + "Microsoft.Capacity/reservationOrders/calculateRefund", + "Microsoft.Capacity/reservationOrders/return", + "Microsoft.Capacity/reservationOrders/split", + "Microsoft.Capacity/reservationOrders/merge", + "Microsoft.Capacity/reservationOrders/swap", + "Microsoft.Capacity/reservationOrders/changeDirectory", + "Microsoft.Capacity/validateReservationOrder", + "Microsoft.Capacity/reservationOrders/availableScopes", + "Microsoft.Capacity/reservationOrders/reservations/availableScopes", + "Microsoft.Capacity/commercialReservationOrders", + "Microsoft.Capacity/calculatePurchasePrice", + "Microsoft.Capacity/placePurchaseOrder", + "Microsoft.Capacity/checkPurchaseStatus", + "Microsoft.Capacity/ownReservations", + "Microsoft.Capacity/operationResults", + "Microsoft.Capacity/listSkus", + "Microsoft.Capacity/checkBenefitScopes", + "Microsoft.Carbon/carbonEmissionReports", + "Microsoft.Carbon/queryCarbonEmissionDataAvailableDateRange", + "Microsoft.Carbon/operations", + "Microsoft.CertificateRegistration/certificateOrders", + "Microsoft.CertificateRegistration/certificateOrders/certificates", + "Microsoft.CertificateRegistration/validateCertificateRegistrationInformation", + "Microsoft.CertificateRegistration/operations", + "Microsoft.Certify/operations", + "Microsoft.ChangeAnalysis/operations", + "Microsoft.ChangeAnalysis/resourceChanges", + "Microsoft.ChangeAnalysis/changes", + "Microsoft.ChangeAnalysis/changeSnapshots", + "Microsoft.ChangeAnalysis/computeChanges", + "Microsoft.Chaos/operations", + "Microsoft.Chaos/targets", + "Microsoft.Chaos/locations", + "Microsoft.Chaos/locations/targetTypes", + "Microsoft.Chaos/experiments", + "Microsoft.Chaos/locations/operationStatuses", + "Microsoft.Chaos/locations/operationResults", + "Microsoft.Chaos/privateAccesses", + "Microsoft.ClassicCompute/domainNames", + "Microsoft.ClassicCompute/domainNames/internalLoadBalancers", + "Microsoft.ClassicCompute/checkDomainNameAvailability", + "Microsoft.ClassicCompute/domainNames/slots", + "Microsoft.ClassicCompute/domainNames/slots/roles", + "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions", + "Microsoft.ClassicCompute/domainNames/slots/roles/metrics", + "Microsoft.ClassicCompute/virtualMachines", + "Microsoft.ClassicCompute/capabilities", + "Microsoft.ClassicCompute/domainNames/capabilities", + "Microsoft.ClassicCompute/domainNames/serviceCertificates", + "Microsoft.ClassicCompute/quotas", + "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings", + "Microsoft.ClassicCompute/virtualMachines/metricDefinitions", + "Microsoft.ClassicCompute/virtualMachines/metrics", + "Microsoft.ClassicCompute/operations", + "Microsoft.ClassicCompute/resourceTypes", + "Microsoft.ClassicCompute/moveSubscriptionResources", + "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability", + "Microsoft.ClassicCompute/operationStatuses", + "Microsoft.ClassicCompute/operatingSystems", + "Microsoft.ClassicCompute/operatingSystemFamilies", + "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources", + "Microsoft.ClassicNetwork/virtualNetworks", + "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings", + "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies", + "Microsoft.ClassicNetwork/reservedIps", + "Microsoft.ClassicNetwork/quotas", + "Microsoft.ClassicNetwork/gatewaySupportedDevices", + "Microsoft.ClassicNetwork/operations", + "Microsoft.ClassicNetwork/networkSecurityGroups", + "Microsoft.ClassicNetwork/capabilities", + "Microsoft.ClassicNetwork/expressRouteCrossConnections", + "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings", + "Microsoft.ClassicStorage/storageAccounts", + "Microsoft.ClassicStorage/quotas", + "Microsoft.ClassicStorage/checkStorageAccountAvailability", + "Microsoft.ClassicStorage/storageAccounts/services", + "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings", + "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/services/metrics", + "Microsoft.ClassicStorage/storageAccounts/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/metrics", + "Microsoft.ClassicStorage/capabilities", + "Microsoft.ClassicStorage/storageAccounts/blobServices", + "Microsoft.ClassicStorage/storageAccounts/tableServices", + "Microsoft.ClassicStorage/storageAccounts/fileServices", + "Microsoft.ClassicStorage/storageAccounts/queueServices", + "Microsoft.ClassicStorage/disks", + "Microsoft.ClassicStorage/images", + "Microsoft.ClassicStorage/vmImages", + "Microsoft.ClassicStorage/storageAccounts/vmImages", + "Microsoft.ClassicStorage/publicImages", + "Microsoft.ClassicStorage/osImages", + "Microsoft.ClassicStorage/osPlatformImages", + "Microsoft.ClassicStorage/operations", + "Microsoft.ClassicSubscription/operations", + "Microsoft.CleanRoom/Locations", + "Microsoft.CleanRoom/Operations", + "Microsoft.CleanRoom/Locations/OperationStatuses", + "Microsoft.CloudHealth/Locations", + "Microsoft.CloudHealth/Locations/operationstatuses", + "Microsoft.CloudHealth/Operations", + "Microsoft.CloudShell/operations", + "Microsoft.CloudTest/accounts", + "Microsoft.CloudTest/pools", + "Microsoft.CloudTest/hostedpools", + "Microsoft.CloudTest/images", + "Microsoft.CloudTest/operations", + "Microsoft.CloudTest/locations", + "Microsoft.CloudTest/locations/operations", + "Microsoft.CodeSigning/Locations", + "Microsoft.CodeSigning/Locations/OperationStatuses", + "Microsoft.CodeSigning/Operations", + "Microsoft.CodeSigning/checkNameAvailability", + "Microsoft.Commerce/UsageAggregates", + "Microsoft.Commerce/RateCard", + "Microsoft.Commerce/operations", + "Microsoft.Communication/Locations", + "Microsoft.Communication/CommunicationServices", + "Microsoft.Communication/CommunicationServices/eventGridFilters", + "Microsoft.Communication/operations", + "Microsoft.Communication/registeredSubscriptions", + "Microsoft.Communication/locations/operationStatuses", + "Microsoft.Communication/CheckNameAvailability", + "Microsoft.Communication/EmailServices", + "Microsoft.Communication/EmailServices/Domains", + "Microsoft.Communication/EmailServices/Domains/SenderUsernames", + "Microsoft.Community/communityTrainings", + "Microsoft.Community/Operations", + "Microsoft.Community/Locations", + "Microsoft.Community/Locations/OperationStatuses", + "Microsoft.ComputeSchedule/Locations", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ConfidentialLedger/operations", + "Microsoft.Confluent/operations", + "Microsoft.Confluent/locations", + "Microsoft.Confluent/locations/OperationStatuses", + "Microsoft.Confluent/organizations", + "Microsoft.Confluent/checkNameAvailability", + "Microsoft.Confluent/agreements", + "Microsoft.Confluent/validations", + "Microsoft.Confluent/organizations/access", + "Microsoft.Confluent/organizations/access/deleteRoleBinding", + "Microsoft.Confluent/organizations/environments", + "Microsoft.Confluent/organizations/environments/clusters", + "Microsoft.Confluent/organizations/environments/schemaRegistryClusters", + "Microsoft.Confluent/organizations/environments/clusters/createAPIKey", + "Microsoft.Confluent/organizations/apiKeys", + "Microsoft.Confluent/organizations/listRegions", + "Microsoft.ConnectedCache/cacheNodes", + "Microsoft.ConnectedCache/enterpriseCustomers", + "Microsoft.ConnectedCache/Operations", + "Microsoft.ConnectedCache/locations", + "Microsoft.ConnectedCache/locations/operationstatuses", + "Microsoft.ConnectedCache/ispCustomers", + "Microsoft.ConnectedCache/ispCustomers/ispCacheNodes", + "Microsoft.ConnectedCache/enterpriseMccCustomers", + "Microsoft.ConnectedCache/enterpriseMccCustomers/enterpriseMccCacheNodes", + "Microsoft.ConnectedCache/registeredSubscriptions", + "Microsoft.ConnectedCredentials/locations", + "Microsoft.ConnectedCredentials/locations/operationstatuses", + "Microsoft.ConnectedCredentials/credentials", + "Microsoft.ConnectedCredentials/operations", + "microsoft.connectedopenstack/operations", + "microsoft.connectedopenstack/locations", + "microsoft.connectedopenstack/locations/operationStatuses", + "Microsoft.ConnectedVehicle/locations", + "Microsoft.ConnectedVehicle/operations", + "Microsoft.ConnectedVehicle/Locations/OperationStatuses", + "Microsoft.ConnectedVehicle/checkNameAvailability", + "Microsoft.ConnectedVehicle/registeredSubscriptions", + "Microsoft.ConnectedVMwarevSphere/locations", + "Microsoft.ConnectedVMwarevSphere/locations/operationstatuses", + "Microsoft.ConnectedVMwarevSphere/VCenters", + "Microsoft.ConnectedVMwarevSphere/resourcepools", + "Microsoft.ConnectedVMwarevSphere/virtualnetworks", + "Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates", + "Microsoft.ConnectedVMwarevSphere/operations", + "Microsoft.ConnectedVMwarevSphere/virtualmachines", + "Microsoft.ConnectedVMwarevSphere/vcenters/inventoryitems", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/hybrididentitymetadata", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/extensions", + "Microsoft.ConnectedVMwarevSphere/virtualmachines/guestagents", + "Microsoft.ConnectedVMwarevSphere/clusters", + "Microsoft.ConnectedVMwarevSphere/datastores", + "Microsoft.ConnectedVMwarevSphere/hosts", + "Microsoft.ConnectedVMwarevSphere/virtualmachineinstances", + "Microsoft.CostManagement/Connectors", + "Microsoft.CostManagement/CloudConnectors", + "Microsoft.CostManagement/CheckConnectorEligibility", + "Microsoft.CostManagement/ExternalBillingAccounts", + "Microsoft.CostManagement/ExternalBillingAccounts/Dimensions", + "Microsoft.CostManagement/ExternalBillingAccounts/Query", + "Microsoft.CostManagement/ExternalSubscriptions/Dimensions", + "Microsoft.CostManagement/ExternalSubscriptions/Query", + "Microsoft.CostManagement/ExternalSubscriptions", + "Microsoft.CostManagement/Forecast", + "Microsoft.CostManagement/ExternalSubscriptions/Forecast", + "Microsoft.CostManagement/ExternalBillingAccounts/Forecast", + "Microsoft.CostManagement/Settings", + "Microsoft.CostManagement/operations", + "Microsoft.CostManagement/register", + "Microsoft.CostManagement/Query", + "Microsoft.CostManagement/Dimensions", + "Microsoft.CostManagement/Budgets", + "Microsoft.CostManagement/ExternalSubscriptions/Alerts", + "Microsoft.CostManagement/ExternalBillingAccounts/Alerts", + "Microsoft.CostManagement/Alerts", + "Microsoft.CostManagement/showbackRules", + "Microsoft.CostManagement/costAllocationRules", + "Microsoft.CostManagement/Exports", + "Microsoft.CostManagement/Reports", + "Microsoft.CostManagement/Reportconfigs", + "Microsoft.CostManagement/BillingAccounts", + "Microsoft.CostManagement/Departments", + "Microsoft.CostManagement/EnrollmentAccounts", + "Microsoft.CostManagement/Views", + "Microsoft.CostManagement/Publish", + "Microsoft.CostManagement/ScheduledActions", + "Microsoft.CostManagement/CheckNameAvailability", + "Microsoft.CostManagement/BenefitUtilizationSummaries", + "Microsoft.CostManagement/BenefitRecommendations", + "Microsoft.CostManagement/Insights", + "Microsoft.CostManagement/fetchPrices", + "Microsoft.CostManagement/fetchMicrosoftPrices", + "Microsoft.CostManagement/fetchMarketplacePrices", + "Microsoft.CostManagement/calculatePrice", + "Microsoft.CostManagement/CalculateCost", + "Microsoft.CostManagement/GenerateBenefitUtilizationSummariesReport", + "Microsoft.CostManagement/BenefitUtilizationSummariesOperationResults", + "Microsoft.CostManagement/GenerateReservationDetailsReport", + "Microsoft.CostManagement/ReservationDetailsOperationResults", + "Microsoft.CostManagement/GenerateDetailedCostReport", + "Microsoft.CostManagement/GenerateCostDetailsReport", + "Microsoft.CostManagement/CostDetailsOperationResults", + "Microsoft.CostManagement/OperationStatus", + "Microsoft.CostManagement/OperationResults", + "Microsoft.CostManagement/Pricesheets", + "Microsoft.CostManagement/MarkupRules", + "Microsoft.CostManagement/StartConversation", + "Microsoft.CostManagement/SendMessage", + "Microsoft.CostManagementExports/Operations", + "Microsoft.CustomerLockbox/operations", + "Microsoft.CustomerLockbox/TenantOptedIn", + "Microsoft.CustomerLockbox/EnableLockbox", + "Microsoft.CustomerLockbox/DisableLockbox", + "Microsoft.CustomerLockbox/requests", + "Microsoft.D365CustomerInsights/instances", + "Microsoft.D365CustomerInsights/operations", + "Microsoft.Dashboard/locations", + "Microsoft.Dashboard/checkNameAvailability", + "Microsoft.Dashboard/locations/operationStatuses", + "Microsoft.Dashboard/grafana", + "Microsoft.Dashboard/operations", + "Microsoft.Dashboard/grafana/privateEndpointConnections", + "Microsoft.Dashboard/grafana/privateLinkResources", + "Microsoft.Dashboard/locations/checkNameAvailability", + "Microsoft.Dashboard/grafana/managedPrivateEndpoints", + "Microsoft.DatabaseWatcher/locations", + "Microsoft.DatabaseWatcher/operations", + "Microsoft.DataBox/jobs", + "Microsoft.DataBox/locations", + "Microsoft.DataBox/locations/validateAddress", + "Microsoft.DataBox/locations/checkNameAvailability", + "Microsoft.DataBox/locations/operationresults", + "Microsoft.DataBox/operations", + "Microsoft.DataBox/locations/availableSkus", + "Microsoft.DataBox/locations/validateInputs", + "Microsoft.DataBox/locations/regionConfiguration", + "Microsoft.DataBox/jobs/eventGridFilters", + "Microsoft.DataBoxEdge/DataBoxEdgeDevices", + "Microsoft.DataBoxEdge/DataBoxEdgeDevices/checkNameAvailability", + "Microsoft.DataBoxEdge/operations", + "Microsoft.DataBoxEdge/availableSkus", + "Microsoft.DataCatalog/catalogs", + "Microsoft.DataCatalog/checkNameAvailability", + "Microsoft.DataCatalog/operations", + "Microsoft.DataCatalog/locations", + "Microsoft.DataCatalog/locations/jobs", + "Microsoft.Datadog/registeredSubscriptions", + "Microsoft.Datadog/locations", + "Microsoft.Datadog/locations/operationStatuses", + "Microsoft.Datadog/operations", + "Microsoft.Datadog/monitors", + "Microsoft.Datadog/monitors/tagRules", + "Microsoft.Datadog/monitors/listMonitoredResources", + "Microsoft.Datadog/monitors/listApiKeys", + "Microsoft.Datadog/monitors/getDefaultKey", + "Microsoft.Datadog/monitors/setDefaultKey", + "Microsoft.Datadog/monitors/singleSignOnConfigurations", + "Microsoft.Datadog/monitors/listHosts", + "Microsoft.Datadog/monitors/listLinkedResources", + "Microsoft.Datadog/monitors/refreshSetPasswordLink", + "Microsoft.Datadog/agreements", + "Microsoft.Datadog/monitors/monitoredSubscriptions", + "Microsoft.Datadog/subscriptionStatuses", + "Microsoft.DataFactory/factories", + "Microsoft.DataFactory/factories/integrationRuntimes", + "Microsoft.DataFactory/factories/privateEndpointConnectionProxies", + "Microsoft.DataFactory/CheckNameAvailability", + "Microsoft.DataFactory/operations", + "Microsoft.DataFactory/locations", + "Microsoft.DataFactory/locations/configureFactoryRepo", + "Microsoft.DataFactory/locations/getFeatureValue", + "Microsoft.DataReplication/replicationVaults", + "Microsoft.DataReplication/replicationFabrics", + "Microsoft.DataReplication/operations", + "Microsoft.DataShare/accounts", + "Microsoft.DataShare/accounts/shares", + "Microsoft.DataShare/accounts/shares/datasets", + "Microsoft.DataShare/accounts/shares/synchronizationSettings", + "Microsoft.DataShare/accounts/shares/invitations", + "Microsoft.DataShare/accounts/sharesubscriptions", + "Microsoft.DataShare/accounts/shares/providersharesubscriptions", + "Microsoft.DataShare/accounts/sharesubscriptions/datasetmappings", + "Microsoft.DataShare/accounts/sharesubscriptions/triggers", + "Microsoft.DataShare/accounts/sharesubscriptions/consumerSourceDataSets", + "Microsoft.DataShare/listinvitations", + "Microsoft.DataShare/locations", + "Microsoft.DataShare/locations/operationResults", + "Microsoft.DataShare/locations/registerEmail", + "Microsoft.DataShare/locations/activateEmail", + "Microsoft.DataShare/locations/rejectInvitation", + "Microsoft.DataShare/locations/consumerInvitations", + "Microsoft.DataShare/operations", + "Microsoft.DelegatedNetwork/operations", + "Microsoft.DevAI/Locations", + "Microsoft.DevAI/Locations/operationstatuses", + "Microsoft.DevAI/instances", + "Microsoft.DevAI/instances/experiments", + "Microsoft.DevAI/instances/sandboxes", + "Microsoft.DevAI/instances/sandboxes/experiments", + "Microsoft.DevAI/Operations", + "Microsoft.DevAI/registeredSubscriptions", + "Microsoft.DevCenter/operations", + "Microsoft.DevCenter/Locations", + "Microsoft.DevCenter/Locations/OperationStatuses", + "Microsoft.DevCenter/devcenters", + "Microsoft.DevCenter/devcenters/catalogs", + "Microsoft.DevCenter/devcenters/attachednetworks", + "Microsoft.DevCenter/devcenters/devboxdefinitions", + "Microsoft.DevCenter/devcenters/environmentTypes", + "Microsoft.DevCenter/devcenters/galleries", + "Microsoft.DevCenter/devcenters/galleries/images/versions", + "Microsoft.DevCenter/devcenters/galleries/images", + "Microsoft.DevCenter/devcenters/images", + "Microsoft.DevCenter/networkconnections", + "Microsoft.DevCenter/networkconnections/healthchecks", + "Microsoft.DevCenter/projects", + "Microsoft.DevCenter/projects/attachednetworks", + "Microsoft.DevCenter/projects/environmentTypes", + "Microsoft.DevCenter/projects/pools", + "Microsoft.DevCenter/projects/pools/schedules", + "Microsoft.DevCenter/projects/devboxdefinitions", + "Microsoft.DevCenter/projects/allowedEnvironmentTypes", + "Microsoft.DevCenter/checkNameAvailability", + "Microsoft.DevCenter/networkconnections/outboundNetworkDependenciesEndpoints", + "Microsoft.DevCenter/Locations/usages", + "Microsoft.DevCenter/devcenters/catalogs/devboxdefinitions", + "Microsoft.DevCenter/devcenters/catalogs/environmentDefinitions", + "Microsoft.DevCenter/devcenters/catalogs/tasks", + "Microsoft.DevCenter/checkScopedNameAvailability", + "Microsoft.DevelopmentWindows365/DevelopmentCloudPcDelegatedMsis", + "Microsoft.DevHub/operations", + "Microsoft.DevHub/workflows", + "Microsoft.DevHub/locations", + "Microsoft.DevHub/locations/githuboauth", + "Microsoft.DevHub/locations/generatePreviewArtifacts", + "Microsoft.DeviceRegistry/locations", + "Microsoft.DeviceRegistry/operations", + "Microsoft.DeviceRegistry/operationStatuses", + "Microsoft.DeviceRegistry/locations/operationStatuses", + "Microsoft.DeviceRegistry/assets", + "Microsoft.DeviceRegistry/assetEndpointProfiles", + "Microsoft.DeviceUpdate/locations", + "Microsoft.DeviceUpdate/locations/operationStatuses", + "Microsoft.DeviceUpdate/operations", + "Microsoft.DeviceUpdate/accounts", + "Microsoft.DeviceUpdate/accounts/instances", + "Microsoft.DeviceUpdate/checkNameAvailability", + "Microsoft.DeviceUpdate/registeredSubscriptions", + "Microsoft.DeviceUpdate/accounts/privateLinkResources", + "Microsoft.DeviceUpdate/accounts/privateEndpointConnections", + "Microsoft.DeviceUpdate/accounts/privateEndpointConnectionProxies", + "Microsoft.DigitalTwins/locations", + "Microsoft.DigitalTwins/locations/checkNameAvailability", + "Microsoft.DigitalTwins/digitalTwinsInstances", + "Microsoft.DigitalTwins/digitalTwinsInstances/operationResults", + "Microsoft.DigitalTwins/locations/operationResults", + "Microsoft.DigitalTwins/locations/operationsStatuses", + "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", + "Microsoft.DigitalTwins/digitalTwinsInstances/timeSeriesDatabaseConnections", + "Microsoft.DigitalTwins/operations", + "Microsoft.DomainRegistration/domains", + "Microsoft.DomainRegistration/domains/domainOwnershipIdentifiers", + "Microsoft.DomainRegistration/topLevelDomains", + "Microsoft.DomainRegistration/checkDomainAvailability", + "Microsoft.DomainRegistration/listDomainRecommendations", + "Microsoft.DomainRegistration/validateDomainRegistrationInformation", + "Microsoft.DomainRegistration/generateSsoRequest", + "Microsoft.DomainRegistration/operations", + "Microsoft.Easm/workspaces", + "Microsoft.Easm/workspaces/labels", + "Microsoft.Easm/operations", + "Microsoft.Easm/workspaces/tasks", + "Microsoft.EdgeManagement/locations", + "Microsoft.EdgeManagement/operations", + "Microsoft.EdgeMarketplace/operations", + "Microsoft.EdgeMarketplace/locations", + "Microsoft.EdgeMarketplace/locations/operationStatuses", + "Microsoft.EdgeMarketplace/publishers", + "Microsoft.EdgeMarketplace/offers", + "Microsoft.EdgeOrder/addresses", + "Microsoft.EdgeOrder/orderItems", + "Microsoft.EdgeOrder/orders", + "Microsoft.EdgeOrder/locations", + "Microsoft.EdgeOrder/locations/orders", + "Microsoft.EdgeOrder/listProductFamilies", + "Microsoft.EdgeOrder/listConfigurations", + "Microsoft.EdgeOrder/productFamiliesMetadata", + "Microsoft.EdgeOrder/locations/hciCatalog", + "Microsoft.EdgeOrder/locations/hciCatalog/vendors", + "Microsoft.EdgeOrder/locations/hciCatalog/platforms", + "Microsoft.EdgeOrder/locations/hciCatalog/projects", + "Microsoft.EdgeOrder/locations/hciFlightCatalog", + "Microsoft.EdgeOrder/locations/hciFlightCatalog/vendors", + "Microsoft.EdgeOrder/locations/hciFlightCatalog/platforms", + "Microsoft.EdgeOrder/locations/hciFlightCatalog/projects", + "Microsoft.EdgeOrder/operations", + "Microsoft.EdgeOrder/locations/operationresults", + "Microsoft.EdgeOrderPartner/operations", + "Microsoft.Elastic/operations", + "Microsoft.Elastic/locations", + "Microsoft.Elastic/locations/operationStatuses", + "Microsoft.Elastic/monitors", + "Microsoft.Elastic/monitors/tagRules", + "Microsoft.Elastic/checkNameAvailability", + "Microsoft.Elastic/elasticVersions", + "Microsoft.Elastic/getOrganizationApiKey", + "Microsoft.Elastic/getElasticOrganizationToAzureSubscriptionMapping", + "Microsoft.ElasticSan/elasticSans", + "Microsoft.ElasticSan/elasticSans/volumeGroups", + "Microsoft.ElasticSan/operations", + "Microsoft.ElasticSan/locations/asyncoperations", + "Microsoft.ElasticSan/locations", + "Microsoft.EnterpriseSupport/EnterpriseSupports", + "Microsoft.EnterpriseSupport/operationStatuses", + "Microsoft.EnterpriseSupport/validate", + "Microsoft.EnterpriseSupport/Operations", + "Microsoft.EntitlementManagement/Operations", + "Microsoft.Experimentation/Operations", + "Microsoft.ExtendedLocation/locations", + "Microsoft.ExtendedLocation/customLocations", + "Microsoft.ExtendedLocation/customLocations/enabledResourceTypes", + "Microsoft.ExtendedLocation/customLocations/resourceSyncRules", + "Microsoft.ExtendedLocation/locations/operationsstatus", + "Microsoft.ExtendedLocation/locations/operationresults", + "Microsoft.ExtendedLocation/operations", + "Microsoft.Fabric/capacities", + "Microsoft.Fabric/locations", + "Microsoft.Fabric/locations/checkNameAvailability", + "Microsoft.Fabric/locations/operationresults", + "Microsoft.Fabric/locations/operationstatuses", + "Microsoft.Fabric/operations", + "Microsoft.Falcon/namespaces", + "Microsoft.Features/features", + "Microsoft.Features/providers", + "Microsoft.Features/featureProviders", + "Microsoft.Features/subscriptionFeatureRegistrations", + "Microsoft.Features/featureProviderNamespaces", + "Microsoft.Features/featureConfigurations", + "Microsoft.Features/operations", + "Microsoft.FluidRelay/fluidRelayServers", + "Microsoft.FluidRelay/Operations", + "Microsoft.FluidRelay/fluidRelayServers/fluidRelayContainers", + "Microsoft.FluidRelay/Locations", + "Microsoft.FluidRelay/Locations/OperationStatuses", + "Microsoft.GraphServices/accounts", + "Microsoft.GraphServices/Operations", + "Microsoft.GraphServices/RegisteredSubscriptions", + "Microsoft.GraphServices/Locations", + "Microsoft.GraphServices/Locations/OperationStatuses", + "Microsoft.HanaOnAzure/hanaInstances", + "Microsoft.HanaOnAzure/locations/operationsStatus", + "Microsoft.HanaOnAzure/locations", + "Microsoft.HanaOnAzure/locations/operations", + "Microsoft.HanaOnAzure/operations", + "Microsoft.HardwareSecurityModules/cloudHsmClusters", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.HealthBot/Operations", + "Microsoft.HealthBot/Locations", + "Microsoft.HealthBot/Locations/OperationStatuses", + "Microsoft.HealthBot/healthBots", + "Microsoft.HealthDataAIServices/locations", + "Microsoft.HealthDataAIServices/locations/operationStatuses", + "Microsoft.HealthDataAIServices/Operations", + "Microsoft.HealthModel/Operations", + "Microsoft.Help/operations", + "Microsoft.Help/operationResults", + "Microsoft.Help/discoverySolutions", + "Microsoft.Help/discoverSolutions", + "Microsoft.Help/diagnostics", + "Microsoft.Help/checkNameAvailability", + "Microsoft.Help/solutions", + "Microsoft.Help/troubleshooters", + "Microsoft.Help/SelfHelp", + "Microsoft.HybridCloud/cloudConnectors", + "Microsoft.HybridCloud/cloudConnections", + "Microsoft.HybridCompute/machines", + "Microsoft.HybridCompute/machines/hybridIdentityMetadata", + "Microsoft.HybridCompute/machines/privateLinkScopes", + "Microsoft.HybridCompute/machines/extensions", + "Microsoft.HybridCompute/locations", + "Microsoft.HybridCompute/locations/publishers", + "Microsoft.HybridCompute/locations/publishers/extensionTypes", + "Microsoft.HybridCompute/locations/publishers/extensionTypes/versions", + "Microsoft.HybridCompute/locations/operationStatus", + "Microsoft.HybridCompute/locations/operationResults", + "Microsoft.HybridCompute/operations", + "Microsoft.HybridCompute/machines/assessPatches", + "Microsoft.HybridCompute/machines/installPatches", + "Microsoft.HybridCompute/locations/updateCenterOperationResults", + "Microsoft.HybridCompute/privateLinkScopes", + "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections", + "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.HybridCompute/locations/privateLinkScopes", + "Microsoft.HybridCompute/osType", + "Microsoft.HybridCompute/osType/agentVersions", + "Microsoft.HybridCompute/osType/agentVersions/latest", + "Microsoft.HybridCompute/machines/runcommands", + "Microsoft.HybridCompute/machines/licenseProfiles", + "Microsoft.HybridCompute/licenses", + "Microsoft.HybridCompute/validateLicense", + "Microsoft.HybridCompute/networkConfigurations", + "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations", + "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterAssociationProxies", + "Microsoft.HybridCompute/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.HybridCompute/locations/notifyExtension", + "Microsoft.HybridConnectivity/endpoints", + "Microsoft.HybridConnectivity/Operations", + "Microsoft.HybridConnectivity/Locations", + "Microsoft.HybridConnectivity/Locations/OperationStatuses", + "Microsoft.HybridContainerService/Locations", + "Microsoft.HybridContainerService/Locations/operationStatuses", + "Microsoft.HybridContainerService/provisionedClusters", + "Microsoft.HybridContainerService/provisionedClusters/hybridIdentityMetadata", + "Microsoft.HybridContainerService/provisionedClusters/agentPools", + "Microsoft.HybridContainerService/virtualNetworks", + "Microsoft.HybridContainerService/Operations", + "Microsoft.HybridContainerService/provisionedClusters/upgradeProfiles", + "Microsoft.HybridContainerService/kubernetesVersions", + "Microsoft.HybridContainerService/skus", + "Microsoft.HybridContainerService/provisionedClusterInstances", + "Microsoft.HybridNetwork/Operations", + "Microsoft.HybridNetwork/Locations", + "Microsoft.HybridNetwork/Locations/OperationStatuses", + "Microsoft.HybridNetwork/devices", + "Microsoft.HybridNetwork/networkfunctions", + "Microsoft.HybridNetwork/networkFunctionVendors", + "Microsoft.HybridNetwork/networkFunctions/components", + "Microsoft.HybridNetwork/sites", + "Microsoft.HybridNetwork/siteNetworkServices", + "Microsoft.HybridNetwork/configurationGroupValues", + "Microsoft.HybridNetwork/publishers", + "Microsoft.HybridNetwork/publishers/networkFunctionDefinitionGroups", + "Microsoft.HybridNetwork/publishers/networkFunctionDefinitionGroups/networkFunctionDefinitionVersions", + "Microsoft.HybridNetwork/publishers/artifactStores", + "Microsoft.HybridNetwork/publishers/artifactStores/artifactManifests", + "Microsoft.HybridNetwork/publishers/artifactstores/artifacts", + "Microsoft.HybridNetwork/publishers/artifactstores/artifactversions", + "Microsoft.Impact/Operations", + "Microsoft.IntegrationSpaces/Spaces", + "Microsoft.IntegrationSpaces/Spaces/InfrastructureResources", + "Microsoft.IntegrationSpaces/Spaces/Applications", + "Microsoft.IntegrationSpaces/Spaces/applications/resources", + "Microsoft.IntegrationSpaces/Spaces/applications/BusinessProcesses", + "Microsoft.IntegrationSpaces/Spaces/applications/BusinessProcesses/versions", + "Microsoft.IntegrationSpaces/locations", + "Microsoft.IntegrationSpaces/locations/OperationStatuses", + "Microsoft.IntegrationSpaces/operations", + "Microsoft.IoTCentral/IoTApps", + "Microsoft.IoTCentral/checkNameAvailability", + "Microsoft.IoTCentral/checkSubdomainAvailability", + "Microsoft.IoTCentral/operations", + "Microsoft.IoTCentral/locations", + "Microsoft.IoTCentral/locations/operationResults", + "Microsoft.IoTCentral/appTemplates", + "Microsoft.IoTFirmwareDefense/operations", + "Microsoft.IoTFirmwareDefense/workspaces", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/sbomComponents", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/binaryHardeningResults", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/cryptoCertificates", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/cryptoKeys", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/passwordHashes", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/cves", + "Microsoft.IoTFirmwareDefense/workspaces/firmwares/summaries", + "Microsoft.IoTFirmwareDefense/locations", + "Microsoft.IoTFirmwareDefense/locations/operationStatuses", + "Microsoft.IoTOperationsDataProcessor/locations", + "Microsoft.IoTOperationsDataProcessor/locations/operationStatuses", + "Microsoft.IoTOperationsDataProcessor/instances", + "Microsoft.IoTOperationsDataProcessor/instances/datasets", + "Microsoft.IoTOperationsDataProcessor/instances/pipelines", + "Microsoft.IoTOperationsDataProcessor/operations", + "Microsoft.IoTOperationsMQ/Locations", + "Microsoft.IoTOperationsMQ/Operations", + "Microsoft.IoTOperationsMQ/Locations/OperationStatuses", + "Microsoft.IoTOperationsMQ/mq", + "Microsoft.IoTOperationsMQ/mq/broker", + "Microsoft.IoTOperationsMQ/mq/broker/authentication", + "Microsoft.IoTOperationsMQ/mq/broker/authorization", + "Microsoft.IoTOperationsMQ/mq/broker/listener", + "Microsoft.IoTOperationsMQ/mq/dataLakeConnector", + "Microsoft.IoTOperationsMQ/mq/dataLakeConnector/topicMap", + "Microsoft.IoTOperationsMQ/mq/diagnosticService", + "Microsoft.IoTOperationsMQ/mq/kafkaConnector", + "Microsoft.IoTOperationsMQ/mq/kafkaConnector/topicMap", + "Microsoft.IoTOperationsMQ/mq/mqttBridgeConnector", + "Microsoft.IoTOperationsMQ/mq/mqttBridgeConnector/topicMap", + "Microsoft.IoTOperationsOrchestrator/locations", + "Microsoft.IoTOperationsOrchestrator/locations/operationStatuses", + "Microsoft.IoTOperationsOrchestrator/targets", + "Microsoft.IoTOperationsOrchestrator/solutions", + "Microsoft.IoTOperationsOrchestrator/instances", + "Microsoft.IoTOperationsOrchestrator/operations", + "Microsoft.IoTSecurity/Operations", + "Microsoft.IoTSecurity/defenderSettings", + "Microsoft.IoTSecurity/locations", + "Microsoft.IoTSecurity/locations/deviceGroups", + "Microsoft.IoTSecurity/locations/deviceGroups/devices", + "Microsoft.IoTSecurity/locations/endpoints", + "Microsoft.IoTSecurity/locations/deviceGroups/vulnerabilities", + "Microsoft.IoTSecurity/locations/deviceGroups/alerts", + "Microsoft.IoTSecurity/locations/deviceGroups/alerts/pcaps", + "Microsoft.IoTSecurity/locations/deviceGroups/alerts/learn", + "Microsoft.IoTSecurity/locations/deviceGroups/recommendations", + "Microsoft.IoTSecurity/locations/sites", + "Microsoft.IoTSecurity/locations/sites/sensors", + "Microsoft.IoTSecurity/sites", + "Microsoft.IoTSecurity/sensors", + "Microsoft.IoTSecurity/onPremiseSensors", + "Microsoft.IoTSecurity/alertTypes", + "Microsoft.IoTSecurity/recommendationTypes", + "Microsoft.IoTSecurity/licenseSkus", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/extensionTypes", + "Microsoft.KubernetesConfiguration/locations/extensionTypes", + "Microsoft.KubernetesConfiguration/locations/extensionTypes/versions", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.KubernetesRuntime/storageClasses", + "Microsoft.KubernetesRuntime/loadBalancers", + "Microsoft.KubernetesRuntime/bgpPeers", + "Microsoft.KubernetesRuntime/operations", + "Microsoft.KubernetesRuntime/locations", + "Microsoft.KubernetesRuntime/locations/operationStatuses", + "Microsoft.KubernetesRuntime/services", + "Microsoft.LabServices/labplans", + "Microsoft.LabServices/labs", + "Microsoft.LabServices/labaccounts", + "Microsoft.LabServices/locations/operationResults", + "Microsoft.LabServices/locations/operations", + "Microsoft.LabServices/operations", + "Microsoft.LabServices/users", + "Microsoft.LabServices/locations", + "Microsoft.LabServices/locations/usages", + "Microsoft.LoadTestService/operations", + "Microsoft.LoadTestService/checkNameAvailability", + "Microsoft.LoadTestService/loadtests", + "Microsoft.LoadTestService/Locations", + "Microsoft.LoadTestService/Locations/OperationStatuses", + "Microsoft.LoadTestService/registeredSubscriptions", + "Microsoft.LoadTestService/loadtests/outboundNetworkDependenciesEndpoints", + "Microsoft.LoadTestService/Locations/Quotas", + "Microsoft.Logz/operations", + "Microsoft.Logz/locations", + "Microsoft.Logz/registeredSubscriptions", + "Microsoft.Logz/locations/operationStatuses", + "Microsoft.Logz/monitors", + "Microsoft.Logz/monitors/tagRules", + "Microsoft.Logz/monitors/singleSignOnConfigurations", + "Microsoft.Logz/monitors/accounts", + "Microsoft.Logz/monitors/accounts/tagRules", + "Microsoft.MachineLearning/Workspaces", + "Microsoft.MachineLearning/webServices", + "Microsoft.MachineLearning/operations", + "Microsoft.MachineLearning/locations", + "Microsoft.MachineLearning/locations/operations", + "Microsoft.MachineLearning/locations/operationsStatus", + "Microsoft.MachineLearning/commitmentPlans", + "Microsoft.ManagedNetworkFabric/Operations", + "Microsoft.ManagedNetworkFabric/NetworkFabricControllers", + "Microsoft.ManagedNetworkFabric/Locations", + "Microsoft.ManagedNetworkFabric/Locations/OperationStatuses", + "Microsoft.ManagedNetworkFabric/NetworkFabrics", + "Microsoft.ManagedNetworkFabric/NetworkRacks", + "Microsoft.ManagedNetworkFabric/NetworkDevices", + "Microsoft.ManagedNetworkFabric/NetworkDevices/NetworkInterfaces", + "Microsoft.ManagedNetworkFabric/L2IsolationDomains", + "Microsoft.ManagedNetworkFabric/L3IsolationDomains", + "Microsoft.ManagedNetworkFabric/accesscontrollists", + "Microsoft.ManagedNetworkFabric/RoutePolicies", + "Microsoft.ManagedNetworkFabric/L3IsolationDomains/externalNetworks", + "Microsoft.ManagedNetworkFabric/L3IsolationDomains/internalNetworks", + "Microsoft.ManagedNetworkFabric/NetworkFabrics/NetworkToNetworkInterconnects", + "Microsoft.ManagedNetworkFabric/IpExtendedCommunities", + "Microsoft.ManagedNetworkFabric/IpCommunities", + "Microsoft.ManagedNetworkFabric/IpPrefixes", + "Microsoft.ManagedNetworkFabric/InternetGateways", + "Microsoft.ManagedNetworkFabric/internetgatewayrules", + "Microsoft.ManagedNetworkFabric/networkpacketbrokers", + "Microsoft.ManagedNetworkFabric/networktaps", + "Microsoft.ManagedNetworkFabric/networktaprules", + "Microsoft.ManagedNetworkFabric/neighborgroups", + "Microsoft.ManufacturingPlatform/locations", + "Microsoft.ManufacturingPlatform/operations", + "Microsoft.Marketplace/register", + "Microsoft.Marketplace/privategalleryitems", + "Microsoft.Marketplace/products", + "Microsoft.Marketplace/offers", + "Microsoft.Marketplace/macc", + "Microsoft.Marketplace/offerTypes", + "Microsoft.Marketplace/offerTypes/publishers", + "Microsoft.Marketplace/offerTypes/publishers/offers", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/configs/importImage", + "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements", + "Microsoft.Marketplace/operations", + "Microsoft.Marketplace/listAvailableOffers", + "Microsoft.Marketplace/publishers", + "Microsoft.Marketplace/publishers/offers", + "Microsoft.Marketplace/publishers/offers/amendments", + "Microsoft.Marketplace/privateStoreClient", + "Microsoft.Marketplace/privateStores", + "Microsoft.Marketplace/privateStores/offers", + "Microsoft.Marketplace/search", + "Microsoft.Marketplace/privateStores/requestApprovals/query", + "Microsoft.Marketplace/privateStores/requestApprovals/withdrawPlan", + "Microsoft.Marketplace/privateStores/RequestApprovals", + "Microsoft.Marketplace/privateStores/queryNotificationsState", + "Microsoft.Marketplace/privateStores/fetchAllSubscriptionsInTenant", + "Microsoft.Marketplace/privateStores/listNewPlansNotifications", + "Microsoft.Marketplace/privateStores/listStopSellOffersPlansNotifications", + "Microsoft.Marketplace/privateStores/listSubscriptionsContext", + "Microsoft.Marketplace/privateStores/offers/acknowledgeNotification", + "Microsoft.Marketplace/privateStores/AdminRequestApprovals", + "Microsoft.Marketplace/privateStores/collections", + "Microsoft.Marketplace/privateStores/collections/approveAllItems", + "Microsoft.Marketplace/privateStores/collections/disableApproveAllItems", + "Microsoft.Marketplace/privateStores/collections/offers", + "Microsoft.Marketplace/privateStores/collections/mapOffersToContexts", + "Microsoft.Marketplace/privateStores/collections/queryRules", + "Microsoft.Marketplace/privateStores/collections/setRules", + "Microsoft.Marketplace/privateStores/collections/offers/upsertOfferWithMultiContext", + "Microsoft.Marketplace/privateStores/bulkCollectionsAction", + "Microsoft.Marketplace/privateStores/collections/transferOffers", + "Microsoft.Marketplace/privateStores/anyExistingOffersInTheCollections", + "Microsoft.Marketplace/privateStores/queryOffers", + "Microsoft.Marketplace/privateStores/queryUserOffers", + "Microsoft.Marketplace/privateStores/queryUserRules", + "Microsoft.Marketplace/privateStores/collectionsToSubscriptionsMapping", + "Microsoft.Marketplace/privateStores/billingAccounts", + "Microsoft.Marketplace/privateStores/queryApprovedPlans", + "Microsoft.Marketplace/locations", + "Microsoft.Marketplace/locations/edgeZones", + "Microsoft.Marketplace/locations/edgeZones/products", + "Microsoft.Marketplace/mysolutions", + "Microsoft.Marketplace/products/reviews", + "Microsoft.Marketplace/products/reviews/comments", + "Microsoft.Marketplace/products/reviews/helpful", + "Microsoft.Marketplace/products/usermetadata", + "Microsoft.MarketplaceOrdering/agreements", + "Microsoft.MarketplaceOrdering/operations", + "Microsoft.MarketplaceOrdering/offertypes", + "Microsoft.Migrate/migrateprojects", + "Microsoft.Migrate/assessmentProjects", + "Microsoft.Migrate/moveCollections", + "Microsoft.Migrate/operations", + "Microsoft.Migrate/locations", + "Microsoft.Migrate/locations/rmsOperationResults", + "Microsoft.Migrate/modernizeProjects", + "Microsoft.Mission/Locations", + "Microsoft.Mission/Locations/OperationStatuses", + "Microsoft.Mission/Operations", + "Microsoft.Mission/virtualEnclaves/endpoints", + "Microsoft.Mission/checkNameAvailability", + "Microsoft.MobileNetwork/Locations", + "Microsoft.MobileNetwork/Locations/OperationStatuses", + "Microsoft.MobileNetwork/Operations", + "Microsoft.MobileNetwork/packetCoreControlPlaneVersions", + "Microsoft.MobilePacketCore/Locations", + "Microsoft.MobilePacketCore/Locations/OperationStatuses", + "Microsoft.MobilePacketCore/Operations", + "Microsoft.ModSimWorkbench/Locations/operationStatuses", + "Microsoft.ModSimWorkbench/Locations", + "Microsoft.ModSimWorkbench/Operations", + "Microsoft.Monitor/operations", + "Microsoft.Monitor/accounts", + "Microsoft.Monitor/locations/locationOperationStatuses", + "Microsoft.Monitor/locations/operationResults", + "Microsoft.Monitor/locations", + "Microsoft.Monitor/locations/operationStatuses", + "Microsoft.MySQLDiscovery/locations", + "Microsoft.MySQLDiscovery/locations/operationStatuses", + "Microsoft.MySQLDiscovery/MySQLSites", + "Microsoft.MySQLDiscovery/MySQLSites/MySQLServers", + "Microsoft.MySQLDiscovery/MySQLSites/Refresh", + "Microsoft.MySQLDiscovery/MySQLSites/Summaries", + "Microsoft.MySQLDiscovery/MySQLSites/ErrorSummaries", + "Microsoft.MySQLDiscovery/operations", + "Microsoft.NetApp/netAppAccounts", + "Microsoft.NetApp/netAppAccounts/snapshotPolicies", + "Microsoft.NetApp/netAppAccounts/volumeGroups", + "Microsoft.NetApp/netAppAccounts/capacityPools", + "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", + "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/mountTargets", + "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots", + "Microsoft.NetApp/locations", + "Microsoft.NetApp/locations/checkNameAvailability", + "Microsoft.NetApp/locations/checkFilePathAvailability", + "Microsoft.NetApp/operations", + "Microsoft.NetApp/locations/checkQuotaAvailability", + "Microsoft.NetApp/locations/queryNetworkSiblingSet", + "Microsoft.NetApp/locations/updateNetworkSiblingSet", + "Microsoft.NetApp/locations/regionInfo", + "Microsoft.NetApp/locations/regionInfos", + "Microsoft.NetApp/locations/QuotaLimits", + "Microsoft.NetApp/locations/CheckInventory", + "Microsoft.NetApp/locations/operationResults", + "Microsoft.NetworkAnalytics/Locations", + "Microsoft.NetworkAnalytics/Locations/OperationStatuses", + "Microsoft.NetworkAnalytics/Operations", + "Microsoft.NetworkAnalytics/registeredSubscriptions", + "Microsoft.NetworkCloud/locations", + "Microsoft.NetworkCloud/locations/operationStatuses", + "Microsoft.NetworkCloud/clusterManagers", + "Microsoft.NetworkCloud/racks", + "Microsoft.NetworkCloud/clusters", + "Microsoft.NetworkCloud/bareMetalMachines", + "Microsoft.NetworkCloud/virtualMachines", + "Microsoft.NetworkCloud/operations", + "Microsoft.NetworkCloud/rackSkus", + "Microsoft.NetworkCloud/cloudServicesNetworks", + "Microsoft.NetworkCloud/l2Networks", + "Microsoft.NetworkCloud/storageAppliances", + "Microsoft.NetworkCloud/trunkedNetworks", + "Microsoft.NetworkCloud/l3Networks", + "Microsoft.NetworkCloud/clusters/metricsConfigurations", + "Microsoft.NetworkCloud/virtualMachines/consoles", + "Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets", + "Microsoft.NetworkCloud/clusters/bmcKeySets", + "Microsoft.NetworkCloud/volumes", + "Microsoft.NetworkCloud/registeredSubscriptions", + "Microsoft.NetworkCloud/kubernetesClusters", + "Microsoft.NetworkCloud/kubernetesClusters/agentPools", + "Microsoft.NetworkFunction/azureTrafficCollectors", + "Microsoft.NetworkFunction/azureTrafficCollectors/collectorPolicies", + "Microsoft.NetworkFunction/meshVpns", + "Microsoft.NetworkFunction/meshVpns/connectionPolicies", + "Microsoft.NetworkFunction/meshVpns/privateEndpointConnections", + "Microsoft.NetworkFunction/meshVpns/privateEndpointConnectionProxies", + "Microsoft.NetworkFunction/operations", + "Microsoft.NetworkFunction/locations", + "Microsoft.NetworkFunction/locations/nfvOperations", + "Microsoft.NetworkFunction/locations/nfvOperationResults", + "Microsoft.Nutanix/operations", + "Microsoft.Nutanix/locations", + "Microsoft.ObjectStore/osNamespaces", + "Microsoft.OffAzure/VMwareSites", + "Microsoft.OffAzure/HyperVSites", + "Microsoft.OffAzure/ServerSites", + "Microsoft.OffAzure/ImportSites", + "Microsoft.OffAzure/MasterSites", + "Microsoft.OffAzure/locations", + "Microsoft.OffAzure/locations/operationResults", + "Microsoft.OffAzure/operations", + "Microsoft.OffAzureSpringBoot/locations", + "Microsoft.OffAzureSpringBoot/locations/operationStatuses", + "Microsoft.OffAzureSpringBoot/springbootsites", + "Microsoft.OffAzureSpringBoot/springbootsites/springbootservers", + "Microsoft.OffAzureSpringBoot/springbootsites/springbootapps", + "Microsoft.OffAzureSpringBoot/operations", + "Microsoft.OffAzureSpringBoot/springbootsites/summaries", + "Microsoft.OffAzureSpringBoot/springbootsites/errorsummaries", + "Microsoft.OpenEnergyPlatform/Locations", + "Microsoft.OpenEnergyPlatform/Locations/OperationStatuses", + "Microsoft.OpenEnergyPlatform/energyservices", + "Microsoft.OpenEnergyPlatform/checkNameAvailability", + "Microsoft.OpenEnergyPlatform/Operations", + "Microsoft.OpenEnergyPlatform/energyservices/privateEndpointConnections", + "Microsoft.OpenEnergyPlatform/energyservices/privateLinkResources", + "Microsoft.OpenEnergyPlatform/energyservices/privateEndpointConnectionProxies", + "Microsoft.OperatorVoicemail/Operations", + "Microsoft.OperatorVoicemail/Locations", + "Microsoft.OperatorVoicemail/Locations/OperationStatuses", + "Microsoft.OperatorVoicemail/Locations/checkNameAvailability", + "Microsoft.OracleDiscovery/locations", + "Microsoft.OracleDiscovery/locations/operationStatuses", + "Microsoft.OracleDiscovery/oraclesites", + "Microsoft.OracleDiscovery/oraclesites/oracleservers", + "Microsoft.OracleDiscovery/oraclesites/oracledatabases", + "Microsoft.OracleDiscovery/oraclesites/summaries", + "Microsoft.OracleDiscovery/oraclesites/errorSummaries", + "Microsoft.OracleDiscovery/operations", + "Microsoft.Orbital/availableGroundStations", + "Microsoft.Orbital/contactProfiles", + "Microsoft.Orbital/spacecrafts", + "Microsoft.Orbital/spacecrafts/contacts", + "Microsoft.Orbital/groundStations", + "Microsoft.Orbital/globalCommunicationsSites", + "Microsoft.Orbital/l2Connections", + "Microsoft.Orbital/edgeSites", + "Microsoft.Orbital/operations", + "Microsoft.Orbital/locations", + "Microsoft.Orbital/locations/operationResults", + "Microsoft.Orbital/locations/operationStatuses", + "Microsoft.PartnerManagedConsumerRecurrence/recurrences", + "Microsoft.PartnerManagedConsumerRecurrence/operations", + "Microsoft.PartnerManagedConsumerRecurrence/checkEligibility", + "Microsoft.PartnerManagedConsumerRecurrence/operationStatuses", + "Microsoft.Peering/peerings", + "Microsoft.Peering/peeringLocations", + "Microsoft.Peering/legacyPeerings", + "Microsoft.Peering/peerAsns", + "Microsoft.Peering/peeringServices", + "Microsoft.Peering/peeringServiceCountries", + "Microsoft.Peering/peeringServiceLocations", + "Microsoft.Peering/peeringServiceProviders", + "Microsoft.Peering/checkServiceProviderAvailability", + "Microsoft.Peering/lookingGlass", + "Microsoft.Peering/cdnPeeringPrefixes", + "Microsoft.Peering/operations", + "Microsoft.Pki/Operations", + "Microsoft.Portal/dashboards", + "Microsoft.Portal/tenantconfigurations", + "Microsoft.Portal/listTenantConfigurationViolations", + "Microsoft.Portal/operations", + "Microsoft.Portal/locations", + "Microsoft.Portal/consoles", + "Microsoft.Portal/locations/consoles", + "Microsoft.Portal/userSettings", + "Microsoft.Portal/locations/userSettings", + "Microsoft.PowerBI/workspaceCollections", + "Microsoft.PowerBI/locations", + "Microsoft.PowerBI/locations/checkNameAvailability", + "Microsoft.PowerBI/privateLinkServicesForPowerBI", + "Microsoft.PowerBI/privateLinkServicesForPowerBI/operationResults", + "Microsoft.PowerBI/operations", + "Microsoft.PowerPlatform/operations", + "Microsoft.PowerPlatform/enterprisePolicies", + "Microsoft.PowerPlatform/accounts", + "Microsoft.PowerPlatform/locations", + "Microsoft.PowerPlatform/locations/deleteVirtualNetworkOrSubnets", + "Microsoft.PowerPlatform/locations/validateDeleteVirtualNetworkOrSubnets", + "Microsoft.ProfessionalService/checkNameAvailability", + "Microsoft.ProfessionalService/eligibilityCheck", + "Microsoft.ProfessionalService/operationResults", + "Microsoft.ProfessionalService/operations", + "Microsoft.ProfessionalService/resources", + "Microsoft.ProgrammableConnectivity/operations", + "Microsoft.ProgrammableConnectivity/locations", + "Microsoft.ProgrammableConnectivity/locations/operationStatuses", + "Microsoft.ProgrammableConnectivity/gateways", + "Microsoft.ProgrammableConnectivity/openApiGateways", + "Microsoft.ProgrammableConnectivity/openApiGatewayOfferings", + "Microsoft.ProgrammableConnectivity/OperatorOfferings", + "Microsoft.ProgrammableConnectivity/OperatorConnections", + "Microsoft.ProgrammableConnectivity/operatorApiPlans", + "Microsoft.ProgrammableConnectivity/operatorApiConnections", + "Microsoft.ProviderHub/providerRegistrations", + "Microsoft.ProviderHub/operationStatuses", + "Microsoft.ProviderHub/providerRegistrations/resourceTypeRegistrations", + "Microsoft.ProviderHub/providerRegistrations/defaultRollouts", + "Microsoft.ProviderHub/providerRegistrations/customRollouts", + "Microsoft.ProviderHub/providerRegistrations/checkinmanifest", + "Microsoft.ProviderHub/providerRegistrations/resourceActions", + "Microsoft.ProviderHub/availableAccounts", + "Microsoft.ProviderHub/providerRegistrations/authorizedApplications", + "Microsoft.Purview/accounts", + "Microsoft.Purview/accounts/kafkaConfigurations", + "Microsoft.Purview/operations", + "Microsoft.Purview/setDefaultAccount", + "Microsoft.Purview/removeDefaultAccount", + "Microsoft.Purview/getDefaultAccount", + "Microsoft.Purview/checkNameAvailability", + "Microsoft.Purview/locations", + "Microsoft.Purview/locations/operationResults", + "Microsoft.Purview/locations/listFeatures", + "Microsoft.Purview/locations/usages", + "Microsoft.Purview/policies", + "Microsoft.Quantum/Workspaces", + "Microsoft.Quantum/Operations", + "Microsoft.Quantum/Locations", + "Microsoft.Quantum/Locations/OperationStatuses", + "Microsoft.Quantum/locations/offerings", + "Microsoft.Quantum/Locations/CheckNameAvailability", + "Microsoft.Quota/usages", + "Microsoft.Quota/quotas", + "Microsoft.Quota/quotaRequests", + "Microsoft.Quota/operationsStatus", + "Microsoft.Quota/operations", + "Microsoft.Quota/groupQuotas", + "Microsoft.Quota/groupQuotas/groupQuotaLimits", + "Microsoft.Quota/groupQuotas/subscriptions", + "Microsoft.Quota/groupQuotas/groupQuotaRequests", + "Microsoft.Quota/groupQuotas/quotaAllocations", + "Microsoft.Quota/groupQuotas/quotaAllocationRequests", + "Microsoft.Quota/groupQuotas/groupQuotaOperationsStatus", + "Microsoft.Quota/groupQuotas/subscriptionRequests", + "Microsoft.Quota/groupQuotas/quotaAllocationOperationsStatus", + "Microsoft.RecommendationsService/locations", + "Microsoft.RecommendationsService/locations/operationStatuses", + "Microsoft.RecommendationsService/accounts", + "Microsoft.RecommendationsService/accounts/modeling", + "Microsoft.RecommendationsService/accounts/serviceEndpoints", + "Microsoft.RecommendationsService/operations", + "Microsoft.RecommendationsService/checkNameAvailability", + "Microsoft.RedHatOpenShift/locations", + "Microsoft.RedHatOpenShift/locations/operationresults", + "Microsoft.RedHatOpenShift/locations/operationsstatus", + "Microsoft.RedHatOpenShift/OpenShiftClusters", + "Microsoft.RedHatOpenShift/operations", + "Microsoft.RedHatOpenShift/locations/openshiftversions", + "Microsoft.ResourceConnector/locations", + "Microsoft.ResourceConnector/appliances", + "Microsoft.ResourceConnector/locations/operationsstatus", + "Microsoft.ResourceConnector/locations/operationresults", + "Microsoft.ResourceConnector/operations", + "Microsoft.ResourceConnector/telemetryconfig", + "Microsoft.ResourceGraph/resources", + "Microsoft.ResourceGraph/resourcesHistory", + "Microsoft.ResourceGraph/resourceChanges", + "Microsoft.ResourceGraph/resourceChangeDetails", + "Microsoft.ResourceGraph/operations", + "Microsoft.ResourceGraph/subscriptionsStatus", + "Microsoft.ResourceGraph/queries", + "Microsoft.ResourceGraph/generateQuery", + "Microsoft.ResourceNotifications/eventGridFilters", + "Microsoft.ResourceNotifications/operations", + "Microsoft.Resources/deploymentScripts", + "Microsoft.Resources/deploymentScripts/logs", + "Microsoft.Resources/locations/deploymentScriptOperationResults", + "Microsoft.Resources/templateSpecs", + "Microsoft.Resources/templateSpecs/versions", + "Microsoft.Resources/builtInTemplateSpecs", + "Microsoft.Resources/builtInTemplateSpecs/versions", + "Microsoft.Resources/deploymentStacks", + "Microsoft.Resources/locations/deploymentStackOperationStatus", + "Microsoft.Resources/mobobrokers", + "Microsoft.Resources/tenants", + "Microsoft.Resources/locations", + "Microsoft.Resources/operationresults", + "Microsoft.Resources/notifyResourceJobs", + "Microsoft.Resources/tags", + "Microsoft.Resources/checkPolicyCompliance", + "Microsoft.Resources/providers", + "Microsoft.Resources/checkresourcename", + "Microsoft.Resources/calculateTemplateHash", + "Microsoft.Resources/resources", + "Microsoft.Resources/subscriptions", + "Microsoft.Resources/subscriptions/resources", + "Microsoft.Resources/subscriptions/providers", + "Microsoft.Resources/subscriptions/operationresults", + "Microsoft.Resources/resourceGroups", + "Microsoft.Resources/subscriptions/resourceGroups", + "Microsoft.Resources/subscriptions/resourcegroups/resources", + "Microsoft.Resources/subscriptions/locations", + "Microsoft.Resources/subscriptions/tagnames", + "Microsoft.Resources/subscriptions/tagNames/tagValues", + "Microsoft.Resources/deployments", + "Microsoft.Resources/deployments/operations", + "Microsoft.Resources/validateResources", + "Microsoft.Resources/links", + "Microsoft.Resources/operations", + "Microsoft.Resources/bulkDelete", + "Microsoft.Resources/changes", + "Microsoft.Resources/snapshots", + "Microsoft.Resources/dataBoundaries", + "Microsoft.Resources/deploymentStacks/snapshots", + "Microsoft.Resources/checkZonePeers", + "Microsoft.SaaS/applications", + "Microsoft.SaaS/checknameavailability", + "Microsoft.SaaS/saasresources", + "Microsoft.SaaS/operationResults", + "Microsoft.SaaS/operations", + "Microsoft.SaaS/resources", + "Microsoft.SaaSHub/operationStatuses", + "Microsoft.SaaSHub/cloudServices", + "Microsoft.SaaSHub/operations", + "Microsoft.SaaSHub/registeredSubscriptions", + "Microsoft.SaaSHub/checkNameAvailability", + "Microsoft.SaaSHub/canCreate", + "Microsoft.SaaSHub/locations", + "Microsoft.SaaSHub/locations/operationStatuses", + "Microsoft.Scom/locations/operationStatuses", + "Microsoft.Scom/operations", + "Microsoft.Scom/locations", + "Microsoft.Scom/managedInstances", + "Microsoft.Scom/managedInstances/monitoredResources", + "Microsoft.Scom/managedInstances/managedGateways", + "Microsoft.ScVmm/locations", + "Microsoft.ScVmm/Locations/OperationStatuses", + "Microsoft.ScVmm/operations", + "Microsoft.ScVmm/VMMServers", + "Microsoft.ScVmm/Clouds", + "Microsoft.ScVmm/VirtualNetworks", + "Microsoft.ScVmm/VirtualMachineTemplates", + "Microsoft.ScVmm/VirtualMachines", + "Microsoft.ScVmm/AvailabilitySets", + "Microsoft.ScVmm/VMMServers/InventoryItems", + "Microsoft.ScVmm/VirtualMachines/HybridIdentityMetadata", + "Microsoft.ScVmm/VirtualMachines/GuestAgents", + "Microsoft.ScVmm/VirtualMachines/Extensions", + "Microsoft.ScVmm/VirtualMachineInstances", + "Microsoft.SecurityDetonation/chambers", + "Microsoft.SecurityDetonation/operations", + "Microsoft.SecurityDetonation/operationResults", + "Microsoft.SecurityDetonation/checkNameAvailability", + "Microsoft.SecurityDevOps/Locations", + "Microsoft.SecurityDevOps/Locations/OperationStatuses", + "Microsoft.SecurityDevOps/gitHubConnectors", + "Microsoft.SecurityDevOps/azureDevOpsConnectors", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs", + "Microsoft.SecurityDevOps/gitHubConnectors/owners", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects", + "Microsoft.SecurityDevOps/gitHubConnectors/owners/repos", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/orgs/projects/repos", + "Microsoft.SecurityDevOps/Operations", + "Microsoft.SecurityDevOps/gitHubConnectors/stats", + "Microsoft.SecurityDevOps/gitHubConnectors/repos", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/stats", + "Microsoft.SecurityDevOps/azureDevOpsConnectors/repos", + "Microsoft.SecurityDevOps/gitLabConnectors", + "Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations", + "Microsoft.SecurityDevOps/gitHubConnectors/gitHubInstallations/gitHubRepositories", + "Microsoft.SecurityDevOps/gitLabConnectors/groups", + "Microsoft.SecurityDevOps/gitLabConnectors/projects", + "Microsoft.SecurityDevOps/gitLabConnectors/stats", + "Microsoft.SecurityDevOps/gitLabConnectors/groups/projects", + "Microsoft.SerialConsole/consoleServices", + "Microsoft.SerialConsole/serialPorts", + "Microsoft.SerialConsole/locations", + "Microsoft.SerialConsole/locations/consoleServices", + "Microsoft.SerialConsole/operations", + "Microsoft.ServiceNetworking/trafficControllers", + "Microsoft.ServiceNetworking/trafficControllers/frontends", + "Microsoft.ServiceNetworking/trafficControllers/associations", + "Microsoft.ServiceNetworking/operations", + "Microsoft.ServiceNetworking/locations", + "Microsoft.ServiceNetworking/locations/operations", + "Microsoft.ServiceNetworking/locations/operationResults", + "Microsoft.ServicesHub/connectors", + "Microsoft.ServicesHub/workspaces", + "Microsoft.ServicesHub/supportOfferingEntitlement", + "Microsoft.ServicesHub/operations", + "Microsoft.ServicesHub/getRecommendationsContent", + "Microsoft.ServicesHub/connectors/connectorSpaces", + "Microsoft.SignalRService/SignalR", + "Microsoft.SignalRService/WebPubSub", + "Microsoft.SignalRService/SignalR/replicas", + "Microsoft.SignalRService/WebPubSub/replicas", + "Microsoft.SignalRService/locations", + "Microsoft.SignalRService/locations/operationResults", + "Microsoft.SignalRService/locations/operationStatuses", + "Microsoft.SignalRService/operations", + "Microsoft.SignalRService/locations/checkNameAvailability", + "Microsoft.SignalRService/locations/usages", + "Microsoft.SignalRService/SignalR/eventGridFilters", + "Microsoft.Singularity/accounts", + "Microsoft.Singularity/accounts/storageContainers", + "Microsoft.Singularity/accounts/networks", + "Microsoft.Singularity/accounts/secrets", + "Microsoft.Singularity/accounts/accountQuotaPolicies", + "Microsoft.Singularity/accounts/groupPolicies", + "Microsoft.Singularity/accounts/jobs", + "Microsoft.Singularity/accounts/models", + "Microsoft.Singularity/locations", + "Microsoft.Singularity/locations/instanceTypeSeries", + "Microsoft.Singularity/locations/instanceTypeSeries/instanceTypes", + "Microsoft.Singularity/locations/operationResults", + "Microsoft.Singularity/locations/operationStatus", + "Microsoft.Singularity/operations", + "Microsoft.Singularity/images", + "Microsoft.Singularity/quotas", + "Microsoft.SoftwarePlan/hybridUseBenefits", + "Microsoft.SoftwarePlan/operations", + "Microsoft.Solutions/applications", + "Microsoft.Solutions/applicationDefinitions", + "Microsoft.Solutions/locations", + "Microsoft.Solutions/jitRequests", + "Microsoft.Solutions/locations/operationstatuses", + "Microsoft.Solutions/Operations", + "Microsoft.Sovereign/Locations", + "Microsoft.Sovereign/Locations/OperationStatuses", + "Microsoft.Sovereign/landingZoneConfigurations", + "Microsoft.Sovereign/landingZoneRegistrations", + "Microsoft.Sovereign/Operations", + "Microsoft.Sovereign/checkNameAvailability", + "Microsoft.SqlVirtualMachine/SqlVirtualMachineGroups", + "Microsoft.SqlVirtualMachine/SqlVirtualMachines", + "Microsoft.SqlVirtualMachine/SqlVirtualMachineGroups/AvailabilityGroupListeners", + "Microsoft.SqlVirtualMachine/operations", + "Microsoft.SqlVirtualMachine/Locations", + "Microsoft.SqlVirtualMachine/Locations/OperationTypes", + "Microsoft.SqlVirtualMachine/Locations/sqlVirtualMachineOperationResults", + "Microsoft.SqlVirtualMachine/Locations/sqlVirtualMachineGroupOperationResults", + "Microsoft.SqlVirtualMachine/Locations/availabilityGroupListenerOperationResults", + "Microsoft.SqlVirtualMachine/Locations/registerSqlVmCandidate", + "Microsoft.StandbyPool/Locations", + "Microsoft.StandbyPool/Locations/OperationStatuses", + "Microsoft.StandbyPool/Operations", + "Microsoft.StorageActions/storageTasks", + "Microsoft.StorageActions/operations", + "Microsoft.StorageActions/locations/asyncoperations", + "Microsoft.StorageActions/locations/previewActions", + "Microsoft.StorageActions/locations", + "Microsoft.StorageCache/caches", + "Microsoft.StorageCache/caches/storageTargets", + "Microsoft.StorageCache/amlFilesystems", + "Microsoft.StorageCache/operations", + "Microsoft.StorageCache/usageModels", + "Microsoft.StorageCache/checkAmlFSSubnets", + "Microsoft.StorageCache/getRequiredAmlFSSubnetsSize", + "Microsoft.StorageCache/locations", + "Microsoft.StorageCache/locations/ascoperations", + "Microsoft.StorageCache/locations/usages", + "Microsoft.StorageMover/storageMovers", + "Microsoft.StorageMover/storageMovers/projects", + "Microsoft.StorageMover/storageMovers/agents", + "Microsoft.StorageMover/storageMovers/endpoints", + "Microsoft.StorageMover/storageMovers/projects/jobDefinitions", + "Microsoft.StorageMover/operations", + "Microsoft.StorageMover/storageMovers/projects/jobDefinitions/jobRuns", + "Microsoft.StorageMover/locations", + "Microsoft.StorageMover/locations/operationStatuses", + "Microsoft.StorageSync/storageSyncServices", + "Microsoft.StorageSync/storageSyncServices/syncGroups", + "Microsoft.StorageSync/storageSyncServices/syncGroups/cloudEndpoints", + "Microsoft.StorageSync/storageSyncServices/syncGroups/serverEndpoints", + "Microsoft.StorageSync/storageSyncServices/registeredServers", + "Microsoft.StorageSync/storageSyncServices/workflows", + "Microsoft.StorageSync/operations", + "Microsoft.StorageSync/locations", + "Microsoft.StorageSync/locations/checkNameAvailability", + "Microsoft.StorageSync/locations/workflows", + "Microsoft.StorageSync/locations/operations", + "Microsoft.StorageSync/locations/operationResults", + "Microsoft.StorageTasks/locations", + "Microsoft.Subscription/SubscriptionDefinitions", + "Microsoft.Subscription/SubscriptionOperations", + "Microsoft.Subscription/CreateSubscription", + "Microsoft.Subscription/operations", + "Microsoft.Subscription/cancel", + "Microsoft.Subscription/validateCancel", + "Microsoft.Subscription/rename", + "Microsoft.Subscription/enable", + "Microsoft.Subscription/subscriptions", + "Microsoft.Subscription/aliases", + "Microsoft.Subscription/operationResults", + "Microsoft.Subscription/acceptChangeTenant", + "Microsoft.Subscription/changeTenantStatus", + "Microsoft.Subscription/changeTenantRequest", + "Microsoft.Subscription/policies", + "Microsoft.Subscription/acceptOwnership", + "Microsoft.Subscription/acceptOwnershipStatus", + "microsoft.support/operations", + "microsoft.support/checkNameAvailability", + "microsoft.support/classifyServices", + "microsoft.support/services", + "microsoft.support/services/problemclassifications", + "microsoft.support/supporttickets", + "microsoft.support/supporttickets/communications", + "microsoft.support/operationresults", + "microsoft.support/operationsstatus", + "microsoft.support/lookUpResourceId", + "microsoft.support/fileWorkspaces", + "microsoft.support/fileWorkspaces/files", + "Microsoft.Synapse/workspaces", + "Microsoft.Synapse/workspaces/bigDataPools", + "Microsoft.Synapse/workspaces/sqlPools", + "Microsoft.Synapse/workspaces/sqlDatabases", + "Microsoft.Synapse/locations/sqlDatabaseAzureAsyncOperation", + "Microsoft.Synapse/locations/sqlDatabaseOperationResults", + "Microsoft.Synapse/workspaces/kustoPools", + "Microsoft.Synapse/locations/kustoPoolOperationResults", + "Microsoft.Synapse/locations/kustoPoolCheckNameAvailability", + "Microsoft.Synapse/workspaces/kustoPools/databases", + "Microsoft.Synapse/workspaces/kustoPools/attacheddatabaseconfigurations", + "Microsoft.Synapse/workspaces/kustoPools/databases/dataconnections", + "Microsoft.Synapse/locations/sqlPoolAzureAsyncOperation", + "Microsoft.Synapse/locations/sqlPoolOperationResults", + "Microsoft.Synapse/workspaces/operationStatuses", + "Microsoft.Synapse/workspaces/operationResults", + "Microsoft.Synapse/checkNameAvailability", + "Microsoft.Synapse/operations", + "Microsoft.Synapse/kustoOperations", + "Microsoft.Synapse/privateLinkHubs", + "Microsoft.Synapse/locations", + "Microsoft.Synapse/locations/operationResults", + "Microsoft.Synapse/locations/operationStatuses", + "Microsoft.Synapse/locations/usages", + "Microsoft.Synapse/workspaces/usages", + "Microsoft.Syntex/documentProcessors", + "Microsoft.Syntex/operations", + "Microsoft.Syntex/accounts", + "Microsoft.Syntex/Locations", + "Microsoft.Syntex/Locations/OperationStatuses", + "Microsoft.TestBase/locations", + "Microsoft.TestBase/locations/operationstatuses", + "Microsoft.TestBase/skus", + "Microsoft.TestBase/operations", + "Microsoft.TestBase/testBaseAccounts", + "Microsoft.TestBase/testBaseAccounts/usages", + "Microsoft.TestBase/testBaseAccounts/availableOSs", + "Microsoft.TestBase/testBaseAccounts/testTypes", + "Microsoft.TestBase/testBaseAccounts/flightingRings", + "Microsoft.TestBase/testBaseAccounts/packages", + "Microsoft.TestBase/testBaseAccounts/packages/osUpdates", + "Microsoft.TestBase/testBaseAccounts/testSummaries", + "Microsoft.TestBase/testBaseAccounts/packages/favoriteProcesses", + "Microsoft.TestBase/testBaseAccounts/packages/testResults", + "Microsoft.TestBase/testBaseAccounts/packages/testResults/analysisResults", + "Microsoft.TestBase/testBaseAccounts/emailEvents", + "Microsoft.TestBase/testBaseAccounts/customerEvents", + "Microsoft.TestBase/testBaseAccounts/featureUpdateSupportedOses", + "Microsoft.TestBase/testBaseAccounts/availableInplaceUpgradeOSs", + "Microsoft.TestBase/testBaseAccounts/firstPartyApps", + "Microsoft.TestBase/testBaseAccounts/draftPackages", + "Microsoft.TestBase/testBaseAccounts/actionRequests", + "Microsoft.TestBase/testBaseAccounts/testConfigurations", + "Microsoft.TestBase/testBaseAccounts/availableVMConfigurationTypes", + "Microsoft.TestBase/testBaseAccounts/customImages", + "Microsoft.TestBase/testBaseAccounts/vhds", + "Microsoft.TestBase/testBaseAccounts/imageDefinitions", + "Microsoft.TestBase/testBaseAccounts/galleryApps", + "Microsoft.TestBase/testBaseAccounts/galleryApps/galleryAppSkus", + "Microsoft.TestBase/testBaseAccounts/chatSessions", + "Microsoft.TestBase/testBaseAccounts/freeHourBalances", + "Microsoft.TestBase/testBaseAccounts/credentials", + "Microsoft.TestBase/testBaseAccounts/testConfigurations/testResults", + "Microsoft.UsageBilling/operations", + "Microsoft.VideoIndexer/operations", + "Microsoft.VideoIndexer/locations", + "Microsoft.VideoIndexer/locations/operationstatuses", + "Microsoft.VideoIndexer/accounts", + "Microsoft.VideoIndexer/checknameavailability", + "Microsoft.VideoIndexer/locations/userclassicaccounts", + "Microsoft.VideoIndexer/locations/classicaccounts", + "Microsoft.VirtualMachineImages/imageTemplates", + "Microsoft.VirtualMachineImages/imageTemplates/runOutputs", + "Microsoft.VirtualMachineImages/imageTemplates/triggers", + "Microsoft.VirtualMachineImages/locations", + "Microsoft.VirtualMachineImages/locations/operations", + "Microsoft.VirtualMachineImages/operations", + "microsoft.visualstudio/account", + "microsoft.visualstudio/operations", + "microsoft.visualstudio/account/extension", + "microsoft.visualstudio/checkNameAvailability", + "Microsoft.VMware/Locations", + "Microsoft.VMware/Locations/OperationStatuses", + "Microsoft.VMware/Operations", + "Microsoft.VMware/VCenters/InventoryItems", + "Microsoft.VoiceServices/Operations", + "Microsoft.VoiceServices/locations", + "Microsoft.VoiceServices/locations/checkNameAvailability", + "Microsoft.VoiceServices/registeredSubscriptions", + "Microsoft.VSOnline/accounts", + "Microsoft.VSOnline/plans", + "Microsoft.VSOnline/operations", + "Microsoft.VSOnline/registeredSubscriptions", + "Microsoft.WindowsIoT/DeviceServices", + "Microsoft.WindowsIoT/operations", + "Microsoft.WindowsPushNotificationServices/checkNameAvailability", + "Microsoft.WorkloadBuilder/Locations", + "Microsoft.WorkloadBuilder/Locations/OperationStatuses", + "Microsoft.WorkloadBuilder/Operations", + "Microsoft.Workloads/Locations", + "Microsoft.Workloads/Locations/OperationStatuses", + "Microsoft.Workloads/sapVirtualInstances", + "Microsoft.Workloads/sapVirtualInstances/applicationInstances", + "Microsoft.Workloads/sapVirtualInstances/centralInstances", + "Microsoft.Workloads/sapVirtualInstances/databaseInstances", + "Microsoft.Workloads/Operations", + "Microsoft.Workloads/monitors", + "Microsoft.Workloads/monitors/providerInstances", + "Microsoft.Workloads/Locations/sapVirtualInstanceMetadata", + "Microsoft.Workloads/connectors", + "Microsoft.Workloads/connectors/acssBackups", + "Microsoft.Workloads/monitors/sapLandscapeMonitor", + "NewRelic.Observability/operations", + "NewRelic.Observability/registeredSubscriptions", + "NewRelic.Observability/locations", + "NewRelic.Observability/locations/operationStatuses", + "NewRelic.Observability/monitors", + "NewRelic.Observability/monitors/tagRules", + "NewRelic.Observability/checkNameAvailability", + "NewRelic.Observability/accounts", + "NewRelic.Observability/plans", + "NewRelic.Observability/organizations", + "NewRelic.Observability/monitors/monitoredSubscriptions", + "NGINX.NGINXPLUS/operations", + "NGINX.NGINXPLUS/locations", + "NGINX.NGINXPLUS/locations/operationStatuses", + "NGINX.NGINXPLUS/nginxDeployments/configurations", + "NGINX.NGINXPLUS/nginxDeployments", + "NGINX.NGINXPLUS/nginxDeployments/certificates", + "Oracle.Database/Locations", + "Oracle.Database/Locations/OperationStatuses", + "Oracle.Database/Operations", + "PaloAltoNetworks.Cloudngfw/operations", + "PaloAltoNetworks.Cloudngfw/locations", + "PaloAltoNetworks.Cloudngfw/registeredSubscriptions", + "PaloAltoNetworks.Cloudngfw/checkNameAvailability", + "PaloAltoNetworks.Cloudngfw/Locations/operationStatuses", + "PaloAltoNetworks.Cloudngfw/firewalls", + "PaloAltoNetworks.Cloudngfw/localRulestacks", + "PaloAltoNetworks.Cloudngfw/globalRulestacks", + "PaloAltoNetworks.Cloudngfw/localRulestacks/localRules", + "PaloAltoNetworks.Cloudngfw/localRulestacks/fqdnlists", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/fqdnlists", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/preRules", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/postRules", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/prefixlists", + "PaloAltoNetworks.Cloudngfw/localRulestacks/prefixlists", + "PaloAltoNetworks.Cloudngfw/globalRulestacks/certificates", + "PaloAltoNetworks.Cloudngfw/localRulestacks/certificates", + "PaloAltoNetworks.Cloudngfw/firewalls/statuses", + "PureStorage.Block/operations", + "PureStorage.Block/locations", + "PureStorage.Block/checkNameAvailability", + "PureStorage.Block/locations/operationStatuses", + "Qumulo.Storage/registeredSubscriptions", + "Qumulo.Storage/locations", + "Qumulo.Storage/locations/operationStatuses", + "Qumulo.Storage/checkNameAvailability", + "Qumulo.Storage/operations", + "Qumulo.Storage/fileSystems", + "SolarWinds.Observability/operations", + "SolarWinds.Observability/registeredSubscriptions", + "SolarWinds.Observability/locations", + "SolarWinds.Observability/locations/operationStatuses", + "SolarWinds.Observability/checkNameAvailability", + "SplitIO.Experimentation/operations", + "SplitIO.Experimentation/locations", + "SplitIO.Experimentation/locations/operationStatuses", + "SplitIO.Experimentation/checkNameAvailability", + "Wandisco.Fusion/Locations", + "Wandisco.Fusion/Locations/operationStatuses", + "Wandisco.Fusion/registeredSubscriptions", + "Wandisco.Fusion/Operations", + "Wandisco.Fusion/migrators", + "Wandisco.Fusion/migrators/targets", + "Wandisco.Fusion/migrators/liveDataMigrations", + "Wandisco.Fusion/migrators/exclusionTemplates", + "Wandisco.Fusion/migrators/metadataMigrations", + "Wandisco.Fusion/migrators/metadataTargets", + "Wandisco.Fusion/migrators/pathMappings", + "Wandisco.Fusion/migrators/dataTransferAgents", + "Wandisco.Fusion/migrators/verifications" + ] + + }, + "resources": [ + { + "condition": "[not(contains(variables('knownPolicyInitativeDefinitionIdsThatRequireParamaeters'), parameters('policySetDefinitionId')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]" + } + }, + { + // [Preview]: Australian Government ISM PROTECTED + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/27272c0b-c225-4cc3-b8b0-f2534b093077')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "membersToExclude": { + "value": "[parameters('regCompPolParAusGovIsmRestrictedVmAdminsExclude')]" + }, + "logAnalyticsWorkspaceId": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfResourceTypes": { + "value": "[if(equals(parameters('regCompPolParAusGovIsmRestrictedResourceTypes'), 'all'), variables('allResourceTypes'), createArray())]" + } + } + } + }, + { + // [Preview]: Motion Picture Association of America (MPAA) + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/92646f03-e39d-47a9-9e24-58d60ef49af8')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "certificateThumbprints": { + "value": "[parameters('regCompPolParMPAACertificateThumb')]" + }, + "applicationName": { + "value": "[parameters('regCompPolParMPAAApplicationName')]" + }, + "storagePrefix": { + "value": "[parameters('regCompPolParMPAAStoragePrefix')]" + }, + "rgName": { + "value": "[parameters('regCompPolParMPAAResGroupPrefix')]" + }, + "metricName": { + "value": "[parameters('regCompPolParMPAARBatchMetricName')]" + } + } + } + }, + { + // [Preview]: Sovereignty Baseline - Confidential Policies + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('regCompPolParSovBaseConfRegions')]" + } + } + } + }, + { + // [Preview]: Sovereignty Baseline - Global Policies + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('regCompPolParSovBaseGlobalRegions')]" + } + } + } + }, + { + // [Preview]: SWIFT CSP-CSCF v2020 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/3e0c67fc-8c7c-406c-89bd-6b6bdc986a22')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "workspaceIDsLogAnalyticsAgentShouldConnectTo": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParSwift2020VmAdminsInclude')]" + }, + "domainNameFQDN": { + "value": "[parameters('regCompPolParSwift2020DomainFqdn')]" + } + } + } + }, + { + // Canada Federal PBMM + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/4c4a5f27-de81-430b-b4e5-9cbd50595a87')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceIdforVMReporting": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsExclude')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsInclude')]" + } + } + } + }, + { + // CIS Microsoft Azure Foundations Benchmark v2.0.0 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/06f19060-9e68-4070-92ca-f15cc126059e')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "maximumDaysToRotate-d8cf8476-a2ec-4916-896e-992351803c44": { + "value": "[parameters('regCompPolParCisV2KeyVaultKeysRotateDays')]" + } + } + } + }, + { + // CMMC Level 3 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/b5629c75-5c77-4422-87b9-2509e680f8de')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceId-f47b5582-33ec-4c5c-87c0-b010a6b2e917": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": { + "value": "[parameters('regCompPolParCmmcL3VmAdminsInclude')]" + }, + "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": { + "value": "[parameters('regCompPolParCmmcL3VmAdminsExclude')]" + } + } + } + }, + { + // HITRUST/HIPAA + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/a169a624-5599-4385-a696-c8d643089fab')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "CertificateThumbprints": { + "value": "[parameters('regCompPolParHitrustHipaaCertificateThumb')]" + }, + "installedApplicationsOnWindowsVM": { + "value": "[parameters('regCompPolParHitrustHipaaApplicationName')]" + }, + "DeployDiagnosticSettingsforNetworkSecurityGroupsstoragePrefix": { + "value": "[parameters('regCompPolParHitrustHipaaStoragePrefix')]" + }, + "DeployDiagnosticSettingsforNetworkSecurityGroupsrgName": { + "value": "[parameters('regCompPolParHitrustHipaaResGroupPrefix')]" + } + } + } + }, + { + // IRS1075 September 2016 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/105e0327-6175-4eb2-9af4-1fba43bdb39d')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceIdforVMReporting": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "listOfMembersToExcludeFromWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsExclude')]" + }, + "listOfMembersToIncludeInWindowsVMAdministratorsGroup": { + "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsInclude')]" + } + } + } + }, + { + // New Zealand ISM Restricted + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/d1a462af-7e6d-4901-98ac-61570b4ed22a')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "MembersToInclude-30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7": { + "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsInclude')]" + }, + "MembersToExclude-69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f": { + "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsExclude')]" + } + } + } + }, + { + // NIST SP 800-171 Rev. 2 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalyticsWorkspaceIDForVMAgents": { + "value": "[parameters('logAnalyticsWorkspaceId')]" + }, + "membersToExcludeInLocalAdministratorsGroup": { + "value": "[parameters('regCompPolParNistSp800171R2VmAdminsExclude')]" + }, + "membersToIncludeInLocalAdministratorsGroup": { + "value": "[parameters('regCompPolParNistSp800171R2VmAdminsInclude')]" + } + } + } + }, + { + // SOC 2 Type 2 + "condition": "[equals(parameters('policySetDefinitionId'), '/providers/Microsoft.Authorization/policySetDefinitions/4054785f-702b-4a98-9215-009cbd58b141')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[parameters('policyAssignmentName')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[parameters('policySetDefinitionDescription')]", + "displayName": "[parameters('policySetDefinitionDisplayName')]", + "policyDefinitionId": "[parameters('policySetDefinitionId')]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "allowedContainerImagesRegex-febd0533-8e55-448f-b837-bd0e06f16469": { + "value": "[parameters('regCompPolParSoc2Type2AllowedRegistries')]" + }, + "cpuLimit-e345eecc-fa47-480f-9e88-67dcc122b164": { + "value": "[parameters('regCompPolParSoc2Type2MaxCpuUnits')]" + }, + "memoryLimit-e345eecc-fa47-480f-9e88-67dcc122b164": { + "value": "[parameters('regCompPolParSoc2Type2MaxMemoryBytes')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployRoles]", + "dependsOn": [ + "[parameters('policyAssignmentName')]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', parameters('policyAssignmentName')), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json new file mode 100644 index 0000000000..c676ec7541 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json @@ -0,0 +1,171 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + }, + "assessmentMode": { + "type": "String", + "metadata": { + "displayName": "Assessment mode", + "description": "Assessment mode for the machines." + }, + "allowedValues": [ + "ImageDefault", + "AutomaticByPlatform" + ], + "defaultValue": "AutomaticByPlatform" + }, + "locations": { + "type": "Array", + "metadata": { + "displayName": "Machines locations", + "description": "The list of locations from which machines need to be targeted.", + "strongType": "location" + }, + "defaultValue": [] + }, + "tagValues": { + "type": "Object", + "metadata": { + "displayName": "Tags on machines", + "description": "The list of tags that need to matched for getting target machines." + }, + "defaultValue": {} + }, + "tagOperator": { + "type": "String", + "metadata": { + "displayName": "Tag operator", + "description": "Matching condition for resource tags" + }, + "allowedValues": [ + "All", + "Any" + ], + "defaultValue": "Any" + }, + "scope": { + "type": "String", + "metadata": { + "displayName": "Scope", + "description": "Scope of the policy assignment" + } + } + }, + "variables": { + "policyDefinitions": { + "vmCheckUpdates": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates')]" + }, + "policyAssignmentNames": { + "vmCheckUpdates": "Enable-AUM-CheckUpdates", + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines." + }, + "nonComplianceMessage": { + "message": "Periodic checking of missing updates {enforcementMode} be enabled.", + "Default": "must", + "DoNotEnforce": "should" + }, + "rbacVmContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "rbacConnectedMachineResourceAdministrator": "cd570a14-e51a-42ad-bac8-bafd67325302", + "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830", + "roleAssignmentNames": { + "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-1',parameters('scope')))]", + "roleAssignmentNameConnectedMachineResourceAdministrator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-2',parameters('scope')))]", + "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-3',parameters('scope')))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').vmCheckUpdates]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmCheckUpdates]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "assessmentMode": { + "value": "[parameters('assessmentMode')]" + }, + "locations": { + "value": "[parameters('locations')]" + }, + "tagValues": { + "value": "[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[parameters('tagOperator')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVmContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameConnectedMachineResourceAdministrator]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacConnectedMachineResourceAdministrator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json index ac9728317e..0b9c17721d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json @@ -21,6 +21,10 @@ "DoNotEnforce" ], "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" } }, "variables": { @@ -32,6 +36,11 @@ "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs.", "displayName": "Virtual networks should be protected by Azure DDoS Network Protection" }, + "nonComplianceMessage": { + "message": "Virtual networks {enforcementMode} be protected by Azure DDoS Network Protection.", + "Default": "must", + "DoNotEnforce": "should" + }, "rbacNetworkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7", "roleAssignmentNames": { "deployDdoS": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployDdoS))]" @@ -40,7 +49,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2019-09-01", + "apiVersion": "2022-06-01", "name": "[variables('policyAssignmentNames').deployDdoS]", "location": "[deployment().location]", "identity": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/README.md b/eslzArm/managementGroupTemplates/policyDefinitions/README.md index fb7c585502..d8451e912d 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/README.md +++ b/eslzArm/managementGroupTemplates/policyDefinitions/README.md @@ -1,16 +1,16 @@ -# Information relating to `policies.json` +# Information relating to `policies.json` and `initiatives.json` -The `policies.json` deployment template provides a unified deployment experience for creating all Policy Definitions and Policy Set Definitions (Initiatives) as recommended for the Azure landing zone reference implementation. +The `policies.json` and `initiatives.json` deployment templates provides a unified deployment experience for creating all Policy Definitions and Policy Set Definitions (Initiatives) as recommended for the Azure landing zone reference implementation. -This template is designed to work across the following clouds, ensuring the supported combination of policies are created in the customer environment: +This templates are designed to work across the following clouds, ensuring the supported combination of policies are created in the customer environment: - AzureCloud (Public) - AzureChinaCloud (Azure China / 21Vianet) - AzureUSGovernment (US Government) > **IMPORTANT:** -> Please note that the `policies.json` file located in this directory is programmatically generated and **must not** be manually edited. -> When making changes to policies, please refer to the [policies.bicep](../../../src/templates/policies.bicep) file. +> Please note that the `policies.json` and `initiatives.json` files located in this directory is programmatically generated and **must not** be manually edited. +> When making changes to policies, please refer to the [policies.bicep](../../../src/templates/policies.bicep) and [initiatives.bicep](../../../src/templates/initiatives.bicep) files. *further guidance to follow* diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json new file mode 100644 index 0000000000..f3562d9ca2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -0,0 +1,247 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.29.47.4906", + "templateHash": "15544708819382265845" + } + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "defaultValue": "alz", + "metadata": { + "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" + }, + "maxLength": 10 + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = \"deployment().location\"" + } + }, + "scope": { + "type": "string", + "defaultValue": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('topLevelManagementGroupPrefix'))]", + "metadata": { + "description": "Optionally set the scope for custom Policy Definitions used in Policy Set Definitions (Initiatives). Must be one of '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'. DEFAULT VALUE = '/providers/Microsoft.Management/managementGroups/${topLevelManagementGroupPrefix}'" + } + } + }, + "variables": { + "copy": [ + { + "name": "processPolicySetDefinitionsAll", + "count": "[length(variables('loadPolicySetDefinitions').All)]", + "input": "[replace(variables('loadPolicySetDefinitions').All[copyIndex('processPolicySetDefinitionsAll')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureCloud", + "count": "[length(variables('loadPolicySetDefinitions').AzureCloud)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureCloud[copyIndex('processPolicySetDefinitionsAzureCloud')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureChinaCloud", + "count": "[length(variables('loadPolicySetDefinitions').AzureChinaCloud)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureChinaCloud[copyIndex('processPolicySetDefinitionsAzureChinaCloud')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "processPolicySetDefinitionsAzureUSGovernment", + "count": "[length(variables('loadPolicySetDefinitions').AzureUSGovernment)]", + "input": "[replace(variables('loadPolicySetDefinitions').AzureUSGovernment[copyIndex('processPolicySetDefinitionsAzureUSGovernment')], variables('templateVars').scope, parameters('scope'))]" + }, + { + "name": "policySetDefinitionsAll", + "count": "[length(variables('processPolicySetDefinitionsAll'))]", + "input": "[json(variables('processPolicySetDefinitionsAll')[copyIndex('policySetDefinitionsAll')])]" + }, + { + "name": "policySetDefinitionsAzureCloud", + "count": "[length(variables('processPolicySetDefinitionsAzureCloud'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureCloud')[copyIndex('policySetDefinitionsAzureCloud')])]" + }, + { + "name": "policySetDefinitionsAzureChinaCloud", + "count": "[length(variables('processPolicySetDefinitionsAzureChinaCloud'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureChinaCloud')[copyIndex('policySetDefinitionsAzureChinaCloud')])]" + }, + { + "name": "policySetDefinitionsAzureUSGovernment", + "count": "[length(variables('processPolicySetDefinitionsAzureUSGovernment'))]", + "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" + } + ], + "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#36": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#38": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#39": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", + "$fxv#40": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneID\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneID\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBotServicePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotCentralPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTablePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#41": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#43": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#44": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#45": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#47": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#48": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#49": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#50": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#51": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#52": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#53": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "cloudEnv": "[environment().name]", + "defaultDeploymentLocationByCloudType": { + "AzureCloud": "northeurope", + "AzureChinaCloud": "chinaeast2", + "AzureUSGovernment": "usgovvirginia" + }, + "templateVars": { + "scope": "/providers/Microsoft.Management/managementGroups/contoso", + "defaultDeploymentLocation": "\"location\": \"northeurope\"", + "localizedDeploymentLocation": "[format('\"location\": \"{0}\"', variables('defaultDeploymentLocationByCloudType')[variables('cloudEnv')])]" + }, + "loadPolicySetDefinitions": { + "All": [ + "[variables('$fxv#0')]", + "[variables('$fxv#1')]", + "[variables('$fxv#2')]", + "[variables('$fxv#3')]", + "[variables('$fxv#4')]", + "[variables('$fxv#5')]", + "[variables('$fxv#6')]", + "[variables('$fxv#7')]", + "[variables('$fxv#8')]", + "[variables('$fxv#9')]", + "[variables('$fxv#10')]", + "[variables('$fxv#11')]", + "[variables('$fxv#12')]", + "[variables('$fxv#13')]", + "[variables('$fxv#14')]", + "[variables('$fxv#15')]", + "[variables('$fxv#16')]", + "[variables('$fxv#17')]", + "[variables('$fxv#18')]", + "[variables('$fxv#19')]", + "[variables('$fxv#20')]", + "[variables('$fxv#21')]", + "[variables('$fxv#22')]", + "[variables('$fxv#23')]", + "[variables('$fxv#24')]", + "[variables('$fxv#25')]", + "[variables('$fxv#26')]", + "[variables('$fxv#27')]", + "[variables('$fxv#28')]", + "[variables('$fxv#29')]", + "[variables('$fxv#30')]", + "[variables('$fxv#31')]", + "[variables('$fxv#32')]", + "[variables('$fxv#33')]", + "[variables('$fxv#34')]", + "[variables('$fxv#35')]" + ], + "AzureCloud": [ + "[variables('$fxv#36')]", + "[variables('$fxv#37')]", + "[variables('$fxv#38')]", + "[variables('$fxv#39')]", + "[variables('$fxv#40')]", + "[variables('$fxv#41')]", + "[variables('$fxv#42')]", + "[variables('$fxv#43')]", + "[variables('$fxv#44')]" + ], + "AzureChinaCloud": [ + "[variables('$fxv#45')]", + "[variables('$fxv#46')]", + "[variables('$fxv#47')]", + "[variables('$fxv#48')]", + "[variables('$fxv#49')]" + ], + "AzureUSGovernment": [ + "[variables('$fxv#50')]", + "[variables('$fxv#51')]", + "[variables('$fxv#52')]", + "[variables('$fxv#53')]", + "[variables('$fxv#54')]" + ] + }, + "policySetDefinitionsByCloudType": { + "All": "[variables('policySetDefinitionsAll')]", + "AzureCloud": "[variables('policySetDefinitionsAzureCloud')]", + "AzureChinaCloud": "[variables('policySetDefinitionsAzureChinaCloud')]", + "AzureUSGovernment": "[variables('policySetDefinitionsAzureUSGovernment')]" + }, + "policySetDefinitions": "[concat(variables('policySetDefinitionsByCloudType').All, variables('policySetDefinitionsByCloudType')[variables('cloudEnv')])]" + }, + "resources": [ + { + "copy": { + "name": "PolicySetDefinitions", + "count": "[length(variables('policySetDefinitions'))]" + }, + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2020-09-01", + "name": "[variables('policySetDefinitions')[copyIndex()].name]", + "properties": { + "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", + "displayName": "[variables('policySetDefinitions')[copyIndex()].properties.displayName]", + "metadata": "[variables('policySetDefinitions')[copyIndex()].properties.metadata]", + "parameters": "[variables('policySetDefinitions')[copyIndex()].properties.parameters]", + "policyType": "[variables('policySetDefinitions')[copyIndex()].properties.policyType]", + "policyDefinitions": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitions]", + "policyDefinitionGroups": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitionGroups]" + } + } + ], + "outputs": { + "policySetDefinitionNames": { + "type": "array", + "copy": { + "count": "[length(variables('policySetDefinitions'))]", + "input": "[variables('policySetDefinitions')[copyIndex()].name]" + } + } + } +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 4c63295ef3..9c86608a2d 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,19 +4,19 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.15.31.15270", - "templateHash": "6676146683744791219" + "version": "0.29.47.4906", + "templateHash": "49176136240050651" } }, "parameters": { "topLevelManagementGroupPrefix": { "type": "string", "defaultValue": "alz", - "maxLength": 10, "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"", - "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!" - } + "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" + }, + "maxLength": 10 }, "location": { "type": "string", @@ -55,26 +55,6 @@ "count": "[length(variables('loadPolicyDefinitions').AzureUSGovernment)]", "input": "[replace(replace(variables('loadPolicyDefinitions').AzureUSGovernment[copyIndex('processPolicyDefinitionsAzureUSGovernment')], variables('templateVars').defaultDeploymentLocation, variables('deploymentLocation')), variables('templateVars').localizedDeploymentLocation, variables('deploymentLocation'))]" }, - { - "name": "processPolicySetDefinitionsAll", - "count": "[length(variables('loadPolicySetDefinitions').All)]", - "input": "[replace(variables('loadPolicySetDefinitions').All[copyIndex('processPolicySetDefinitionsAll')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureCloud", - "count": "[length(variables('loadPolicySetDefinitions').AzureCloud)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureCloud[copyIndex('processPolicySetDefinitionsAzureCloud')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureChinaCloud", - "count": "[length(variables('loadPolicySetDefinitions').AzureChinaCloud)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureChinaCloud[copyIndex('processPolicySetDefinitionsAzureChinaCloud')], variables('templateVars').scope, parameters('scope'))]" - }, - { - "name": "processPolicySetDefinitionsAzureUSGovernment", - "count": "[length(variables('loadPolicySetDefinitions').AzureUSGovernment)]", - "input": "[replace(variables('loadPolicySetDefinitions').AzureUSGovernment[copyIndex('processPolicySetDefinitionsAzureUSGovernment')], variables('templateVars').scope, parameters('scope'))]" - }, { "name": "policyDefinitionsAll", "count": "[length(variables('processPolicyDefinitionsAll'))]", @@ -94,164 +74,178 @@ "name": "policyDefinitionsAzureUSGovernment", "count": "[length(variables('processPolicyDefinitionsAzureUSGovernment'))]", "input": "[json(variables('processPolicyDefinitionsAzureUSGovernment')[copyIndex('policyDefinitionsAzureUSGovernment')])]" - }, - { - "name": "policySetDefinitionsAll", - "count": "[length(variables('processPolicySetDefinitionsAll'))]", - "input": "[json(variables('processPolicySetDefinitionsAll')[copyIndex('policySetDefinitionsAll')])]" - }, - { - "name": "policySetDefinitionsAzureCloud", - "count": "[length(variables('processPolicySetDefinitionsAzureCloud'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureCloud')[copyIndex('policySetDefinitionsAzureCloud')])]" - }, - { - "name": "policySetDefinitionsAzureChinaCloud", - "count": "[length(variables('processPolicySetDefinitionsAzureChinaCloud'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureChinaCloud')[copyIndex('policySetDefinitionsAzureChinaCloud')])]" - }, - { - "name": "policySetDefinitionsAzureUSGovernment", - "count": "[length(variables('processPolicySetDefinitionsAzureUSGovernment'))]", - "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" } ], "$fxv#0": "{\n \"name\": \"Append-AppService-httpsonly\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"AppService append enable https only setting to enforce https setting.\",\n \"description\": \"Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"notequals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"value\": true\n }\n ]\n }\n }\n }\n}\n", - "$fxv#1": "{\n \"name\": \"Append-AppService-latestTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"AppService append sites with minimum TLS version to enforce.\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS Web App config\",\n \"description\": \"Select version minimum TLS version for a Web App config to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites/config\"\n },\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"notEquals\": \"[[parameters('minTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"value\": \"[[parameters('minTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", - "$fxv#10": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#100": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#101": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#102": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#103": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#104": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#105": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#106": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#107": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#108": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#109": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#11": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#110": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#111": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#112": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#113": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#114": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#115": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#116": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#117": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#118": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#119": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#12": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#120": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. Latest TLS version should be used in your API App\",\n \"description\": \"App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#121": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#122": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#123": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.1.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"Effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#124": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFileprivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#125": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#126": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#127": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#128": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#129": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFileprivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#13": "{\n \"name\": \"Deny-PublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/publicIPAddresses\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#130": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#131": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#132": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#133": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#134": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFileprivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#135": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#14": "{\n \"name\": \"Deny-RDP-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"RDP access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows RDP access from Internet\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"3389\"\n },\n {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n \"equals\": \"true\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"3389\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#15": "{\n \"name\": \"Deny-Redis-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis only secure connections should be enabled\",\n \"description\": \"Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select minumum TLS version for Azure Cache for Redis.\",\n \"description\": \"Select minimum TLS version for Azure Cache for Redis.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#16": "{\n \"name\": \"Deny-Sql-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure SQL Database should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#17": "{\n \"name\": \"Deny-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#18": "{\n \"name\": \"Deny-Storage-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Storage Account set to minimum TLS and Secure transfer should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"less\": \"2019-04-01\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"exists\": \"false\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#19": "{\n \"name\": \"Deny-Subnet-Without-Nsg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a Network Security Group\",\n \"description\": \"This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#1": "{\n \"name\": \"Append-AppService-latestTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"AppService append sites with minimum TLS version to enforce.\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS Web App config\",\n \"description\": \"Select version minimum TLS version for a Web App config to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"exists\": \"true\"\n },\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"notEquals\": \"[[parameters('minTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"value\": \"[[parameters('minTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", + "$fxv#10": "{\n \"name\": \"Deny-AppServiceApiApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"API App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"*api\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#100": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\",\n \"displayName\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\",\n \"equals\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": [\n \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n ]\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#101": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database Vulnerability Assessments\",\n \"description\": \"Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"description\": \"The email address(es) to send alerts.\",\n \"displayName\": \"The email address(es) to send alerts.\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]\",\n \"where\": {\n \"value\": \"current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])\",\n \"notIn\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#102": "{\n \"name\": \"Deploy-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL managed instances deploy a specific min TLS version requirement.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"evaluationDelay\": \"AfterProvisioningSuccess\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"apiVersion\": \"2020-02-02-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#103": "{\n \"name\": \"Deploy-Storage-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Storage\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure STorage\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select TLS version for Azure Storage server\",\n \"description\": \"Select version minimum TLS version Azure STorage to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"notEquals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"equals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"supportsHttpsTrafficOnly\": true,\n \"minimumTlsVersion\": \"[[parameters('minimumTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#104": "{\n \"name\": \"Deploy-VNET-HubSpoke\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Virtual Network with peering to the hub\",\n \"description\": \"This policy deploys virtual network and peer to the hub\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vNetName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetName\",\n \"description\": \"Name of the landing zone vNet\"\n }\n },\n \"vNetRgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetRgName\",\n \"description\": \"Name of the landing zone vNet RG\"\n }\n },\n \"vNetLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetLocation\",\n \"description\": \"Location for the vNet\"\n }\n },\n \"vNetCidrRange\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetCidrRange\",\n \"description\": \"CIDR Range for the vNet\"\n }\n },\n \"hubResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"hubResourceId\",\n \"description\": \"Resource ID for the HUB vNet\"\n }\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"DNSServers\",\n \"description\": \"Default domain servers for the vNET.\"\n },\n \"defaultValue\": []\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"vNetPeerUseRemoteGateway\",\n \"description\": \"Enable gateway transit for the LZ network\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"name\": \"[[parameters('vNetName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"ResourceGroupName\": \"[[parameters('vNetRgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('vNetName')]\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vNetLocation')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vNetRgName\": {\n \"value\": \"[[parameters('vNetRgName')]\"\n },\n \"vNetName\": {\n \"value\": \"[[parameters('vNetName')]\"\n },\n \"vNetLocation\": {\n \"value\": \"[[parameters('vNetLocation')]\"\n },\n \"vNetCidrRange\": {\n \"value\": \"[[parameters('vNetCidrRange')]\"\n },\n \"hubResourceId\": {\n \"value\": \"[[parameters('hubResourceId')]\"\n },\n \"dnsServers\": {\n \"value\": \"[[parameters('dnsServers')]\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"value\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vNetRgName\": {\n \"type\": \"String\"\n },\n \"vNetName\": {\n \"type\": \"String\"\n },\n \"vNetLocation\": {\n \"type\": \"String\"\n },\n \"vNetCidrRange\": {\n \"type\": \"String\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"bool\",\n \"defaultValue\": false\n },\n \"hubResourceId\": {\n \"type\": \"String\"\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"defaultValue\": []\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('vNetRgName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"dependsOn\": [\n \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[parameters('vNetName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"addressSpace\": {\n \"addressPrefixes\": [\n \"[[parameters('vNetCidrRange')]\"\n ]\n },\n \"dhcpOptions\": {\n \"dnsServers\": \"[[parameters('dnsServers')]\"\n }\n }\n },\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('vNetName'), '/peerToHub')]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"remoteVirtualNetwork\": {\n \"id\": \"[[parameters('hubResourceId')]\"\n },\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": false,\n \"useRemoteGateways\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"subscriptionId\": \"[[split(parameters('hubResourceId'),'/')[2]]\",\n \"resourceGroup\": \"[[split(parameters('hubResourceId'),'/')[4]]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"type\": \"String\",\n \"defaultValue\": false\n },\n \"hubName\": {\n \"type\": \"String\",\n \"defaultValue\": false\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"name\": \"[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\n \"apiVersion\": \"2021-02-01\",\n \"properties\": {\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": true,\n \"useRemoteGateways\": false,\n \"remoteVirtualNetwork\": {\n \"id\": \"[[[parameters('remoteVirtualNetwork')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"value\": \"[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"\n },\n \"hubName\": {\n \"value\": \"[[split(parameters('hubResourceId'),'/')[8]]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n },\n \"resourceGroup\": \"[[parameters('vNetRgName')]\"\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#105": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#106": "{\n \"name\": \"Deploy-Windows-DomainJoin\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Windows Domain Join Extension with keyvault configuration\",\n \"description\": \"Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"domainUsername\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainUsername\"\n }\n },\n \"domainPassword\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainPassword\"\n }\n },\n \"domainFQDN\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainFQDN\"\n }\n },\n \"domainOUPath\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainOUPath\"\n }\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"keyVaultResourceId\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"MicrosoftWindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageOffer\",\n \"equals\": \"WindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"in\": [\n \"2008-R2-SP1\",\n \"2008-R2-SP1-smalldisk\",\n \"2008-R2-SP1-zhcn\",\n \"2012-Datacenter\",\n \"2012-datacenter-gensecond\",\n \"2012-Datacenter-smalldisk\",\n \"2012-datacenter-smalldisk-g2\",\n \"2012-Datacenter-zhcn\",\n \"2012-datacenter-zhcn-g2\",\n \"2012-R2-Datacenter\",\n \"2012-r2-datacenter-gensecond\",\n \"2012-R2-Datacenter-smalldisk\",\n \"2012-r2-datacenter-smalldisk-g2\",\n \"2012-R2-Datacenter-zhcn\",\n \"2012-r2-datacenter-zhcn-g2\",\n \"2016-Datacenter\",\n \"2016-datacenter-gensecond\",\n \"2016-datacenter-gs\",\n \"2016-Datacenter-Server-Core\",\n \"2016-datacenter-server-core-g2\",\n \"2016-Datacenter-Server-Core-smalldisk\",\n \"2016-datacenter-server-core-smalldisk-g2\",\n \"2016-Datacenter-smalldisk\",\n \"2016-datacenter-smalldisk-g2\",\n \"2016-Datacenter-with-Containers\",\n \"2016-datacenter-with-containers-g2\",\n \"2016-Datacenter-with-RDSH\",\n \"2016-Datacenter-zhcn\",\n \"2016-datacenter-zhcn-g2\",\n \"2019-Datacenter\",\n \"2019-Datacenter-Core\",\n \"2019-datacenter-core-g2\",\n \"2019-Datacenter-Core-smalldisk\",\n \"2019-datacenter-core-smalldisk-g2\",\n \"2019-Datacenter-Core-with-Containers\",\n \"2019-datacenter-core-with-containers-g2\",\n \"2019-Datacenter-Core-with-Containers-smalldisk\",\n \"2019-datacenter-core-with-containers-smalldisk-g2\",\n \"2019-datacenter-gensecond\",\n \"2019-datacenter-gs\",\n \"2019-Datacenter-smalldisk\",\n \"2019-datacenter-smalldisk-g2\",\n \"2019-Datacenter-with-Containers\",\n \"2019-datacenter-with-containers-g2\",\n \"2019-Datacenter-with-Containers-smalldisk\",\n \"2019-datacenter-with-containers-smalldisk-g2\",\n \"2019-Datacenter-zhcn\",\n \"2019-datacenter-zhcn-g2\",\n \"Datacenter-Core-1803-with-Containers-smalldisk\",\n \"datacenter-core-1803-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1809-with-Containers-smalldisk\",\n \"datacenter-core-1809-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1903-with-Containers-smalldisk\",\n \"datacenter-core-1903-with-containers-smalldisk-g2\",\n \"datacenter-core-1909-with-containers-smalldisk\",\n \"datacenter-core-1909-with-containers-smalldisk-g1\",\n \"datacenter-core-1909-with-containers-smalldisk-g2\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"JsonADDomainExtension\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Compute\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"domainUsername\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainUsername')]\"\n }\n },\n \"domainPassword\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainPassword')]\"\n }\n },\n \"domainOUPath\": {\n \"value\": \"[[parameters('domainOUPath')]\"\n },\n \"domainFQDN\": {\n \"value\": \"[[parameters('domainFQDN')]\"\n },\n \"keyVaultResourceId\": {\n \"value\": \"[[parameters('keyVaultResourceId')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"domainUsername\": {\n \"type\": \"String\"\n },\n \"domainPassword\": {\n \"type\": \"securestring\"\n },\n \"domainFQDN\": {\n \"type\": \"String\"\n },\n \"domainOUPath\": {\n \"type\": \"String\"\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"domainJoinOptions\": 3,\n \"vmName\": \"[[parameters('vmName')]\"\n },\n \"resources\": [\n {\n \"apiVersion\": \"2015-06-15\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(variables('vmName'),'/joindomain')]\",\n \"location\": \"[[resourceGroup().location]\",\n \"properties\": {\n \"publisher\": \"Microsoft.Compute\",\n \"type\": \"JsonADDomainExtension\",\n \"typeHandlerVersion\": \"1.3\",\n \"autoUpgradeMinorVersion\": true,\n \"settings\": {\n \"Name\": \"[[parameters('domainFQDN')]\",\n \"User\": \"[[parameters('domainUserName')]\",\n \"Restart\": \"true\",\n \"Options\": \"[[variables('domainJoinOptions')]\",\n \"OUPath\": \"[[parameters('domainOUPath')]\"\n },\n \"protectedSettings\": {\n \"Password\": \"[[parameters('domainPassword')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#107": "{\n \"name\": \"Deploy-Diagnostics-VWanS2SVPNGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/vpnGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/vpnGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#108": "{\n \"name\": \"Audit-PrivateLinkDnsZones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null, \n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Audit or Deny the creation of Private Link Private DNS Zones\",\n \"description\": \"This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.2\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"privateLinkDnsZones\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Private Link Private DNS Zones\",\n \"description\": \"An array of Private Link Private DNS Zones to check for the existence of in the assigned scope.\"\n },\n \"defaultValue\": [\n \"privatelink.adf.azure.com\",\n \"privatelink.afs.azure.net\",\n \"privatelink.agentsvc.azure-automation.net\",\n \"privatelink.analysis.windows.net\",\n \"privatelink.api.azureml.ms\",\n \"privatelink.azconfig.io\",\n \"privatelink.azure-api.net\",\n \"privatelink.azure-automation.net\",\n \"privatelink.azurecr.io\",\n \"privatelink.azure-devices.net\",\n \"privatelink.azure-devices-provisioning.net\",\n \"privatelink.azuredatabricks.net\",\n \"privatelink.azurehdinsight.net\",\n \"privatelink.azurehealthcareapis.com\",\n \"privatelink.azurestaticapps.net\",\n \"privatelink.azuresynapse.net\",\n \"privatelink.azurewebsites.net\",\n \"privatelink.batch.azure.com\",\n \"privatelink.blob.core.windows.net\",\n \"privatelink.cassandra.cosmos.azure.com\",\n \"privatelink.cognitiveservices.azure.com\",\n \"privatelink.database.windows.net\",\n \"privatelink.datafactory.azure.net\",\n \"privatelink.dev.azuresynapse.net\",\n \"privatelink.dfs.core.windows.net\",\n \"privatelink.dicom.azurehealthcareapis.com\",\n \"privatelink.digitaltwins.azure.net\",\n \"privatelink.directline.botframework.com\",\n \"privatelink.documents.azure.com\",\n \"privatelink.eventgrid.azure.net\",\n \"privatelink.file.core.windows.net\",\n \"privatelink.gremlin.cosmos.azure.com\",\n \"privatelink.guestconfiguration.azure.com\",\n \"privatelink.his.arc.azure.com\",\n \"privatelink.kubernetesconfiguration.azure.com\",\n \"privatelink.managedhsm.azure.net\",\n \"privatelink.mariadb.database.azure.com\",\n \"privatelink.media.azure.net\",\n \"privatelink.mongo.cosmos.azure.com\",\n \"privatelink.monitor.azure.com\",\n \"privatelink.mysql.database.azure.com\",\n \"privatelink.notebooks.azure.net\",\n \"privatelink.ods.opinsights.azure.com\",\n \"privatelink.oms.opinsights.azure.com\",\n \"privatelink.pbidedicated.windows.net\",\n \"privatelink.postgres.database.azure.com\",\n \"privatelink.prod.migration.windowsazure.com\",\n \"privatelink.purview.azure.com\",\n \"privatelink.purviewstudio.azure.com\",\n \"privatelink.queue.core.windows.net\",\n \"privatelink.redis.cache.windows.net\",\n \"privatelink.redisenterprise.cache.azure.net\",\n \"privatelink.search.windows.net\",\n \"privatelink.service.signalr.net\",\n \"privatelink.servicebus.windows.net\",\n \"privatelink.siterecovery.windowsazure.com\",\n \"privatelink.sql.azuresynapse.net\",\n \"privatelink.table.core.windows.net\",\n \"privatelink.table.cosmos.azure.com\",\n \"privatelink.tip1.powerquery.microsoft.com\",\n \"privatelink.token.botframework.com\",\n \"privatelink.vaultcore.azure.net\",\n \"privatelink.web.core.windows.net\",\n \"privatelink.webpubsub.azure.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n {\n \"field\": \"name\",\n \"in\": \"[[parameters('privateLinkDnsZones')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#109": "{\n \"name\": \"DenyAction-DiagnosticLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n \"metadata\": {\n \"deprecated\": false,\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", + "$fxv#11": "{\n \"name\": \"Deny-AppServiceFunctionApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Function App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"functionapp*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#110": "{\n \"name\": \"DenyAction-ActivityLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Activity Logs\",\n \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n \"metadata\": {\n \"deprecated\": false, \n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", + "$fxv#111": "{\n \"name\": \"Deploy-UserAssignedManagedIdentity-VMInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Deploy User Assigned Managed Identity for VM Insights\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Managed Identity\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Bring Your Own User-Assigned Identity\",\n \"description\": \"Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'.\"\n },\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Name\",\n \"description\": \"The name of the pre-created user-assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Resource Group Name\",\n \"description\": \"The resource group in which the pre-created user-assigned managed identity resides.\"\n },\n \"defaultValue\": \"\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Built-In-Identity-RG Location\",\n \"description\": \"The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false.\"\n },\n \"defaultValue\": \"eastus\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Policy Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match.\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"greaterOrEquals\": \"2018-10-01\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[field('name')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"contains\": \"UserAssigned\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]\"\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"equals\": \"UserAssigned\"\n },\n {\n \"value\": \"[[string(length(field('identity.userAssignedIdentities')))]\",\n \"equals\": \"1\"\n }\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"value\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"uaName\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"value\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vmResourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"resourceId\": {\n \"value\": \"[[field('id')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.1\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"bool\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"uaName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"vmResourceGroup\": {\n \"type\": \"string\"\n },\n \"resourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"uaNameWithLocation\": \"[[concat(parameters('uaName'),'-', parameters('location'))]\",\n \"precreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]\",\n \"autocreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]\",\n \"deployUALockName\": \"[[concat('deployUALock-', uniqueString(deployment().name))]\",\n \"deployUAName\": \"[[concat('deployUA-', uniqueString(deployment().name))]\",\n \"deployGetResourceProperties\": \"[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]\",\n \"deployAssignUAName\": \"[[concat('deployAssignUA-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[parameters('identityResourceGroup')]\",\n \"location\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n {\n \"condition\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUALockName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[parameters('uaName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUAName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[variables('uaNameWithLocation')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n },\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks\",\n \"apiVersion\": \"2016-09-01\",\n \"name\": \"[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]\",\n \"dependsOn\": [\n \"[[parameters('uaName')]\"\n ],\n \"properties\": {\n \"level\": \"CanNotDelete\",\n \"notes\": \"Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence.\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployGetResourceProperties')]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [],\n \"outputs\": {\n \"resource\": {\n \"type\": \"object\",\n \"value\": \"[[reference(parameters('resourceId'), '2019-07-01', 'Full')]\"\n }\n }\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[concat(variables('deployAssignUAName'))]\",\n \"resourceGroup\": \"[[parameters('vmResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\",\n \"[[variables('deployGetResourceProperties')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaId\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"identityType\": {\n \"value\": \"[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]\"\n },\n \"userAssignedIdentities\": {\n \"value\": \"[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaId\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"identityType\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentities\": {\n \"type\": \"object\"\n }\n },\n \"variables\": {\n \"identityTypeValue\": \"[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]\",\n \"userAssignedIdentitiesValue\": \"[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]\",\n \"resourceWithSingleUAI\": \"[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[not(variables('resourceWithSingleUAI'))]\",\n \"apiVersion\": \"2019-07-01\",\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[parameters('vmName')]\",\n \"location\": \"[[parameters('location')]\",\n \"identity\": {\n \"type\": \"[[variables('identityTypeValue')]\",\n \"userAssignedIdentities\": \"[[variables('userAssignedIdentitiesValue')]\"\n }\n }\n ]\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#112": "{\n \"name\": \"Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"2227e1f1-23dd-4c3a-85a9-7024a401d8b2\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRuleAssociations\",\n \"name\": \"MicrosoftDefenderForSQL-RulesAssociation\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#113": "{\n \"name\": \"Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"63d03cbd-47fd-4ee1-8a1c-9ddf07303de0\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#114": "{\n \"name\": \"Deploy-MDFC-SQL-AMA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"f91991d1-5383-4c95-8ee5-5ac423dd8bb1\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AzureMonitorWindowsAgent\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.Monitor\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"userAssignedManagedIdentity\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"extensionName\": \"AzureMonitorWindowsAgent\",\n \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n \"extensionType\": \"AzureMonitorWindowsAgent\",\n \"extensionTypeHandlerVersion\": \"1.2\"\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"apiVersion\": \"2023-03-01\",\n \"properties\": {\n \"publisher\": \"[[variables('extensionPublisher')]\",\n \"type\": \"[[variables('extensionType')]\",\n \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true,\n \"settings\": {\n \"authentication\": {\n \"managedIdentity\": {\n \"identifier-name\": \"mi_res_id\",\n \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n }\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"userAssignedManagedIdentity\": {\n \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#115": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"04754ef9-9ae3-4477-bf17-86ef50026304\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDefenderForSQL')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n }\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#116": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AdvancedThreatProtection.Windows\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n },\n \"dependsOn\": [\n \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n ]\n },\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#117": "{\n \"name\": \"Deny-APIM-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"API Management services should use TLS version 1.2\",\n \"description\": \"Azure API Management service should use TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n {\n \"anyOf\": [\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":true')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":true')]\",\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#118": "{\n \"name\": \"Deny-AppGw-Without-Tls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"predefinedPolicyName\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Predefined policy name\",\n \"description\": \"Predefined policy name\"\n },\n \"defaultValue\": [\n \"AppGwSslPolicy20220101\",\n \"AppGwSslPolicy20170401S\",\n \"AppGwSslPolicy20220101S\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"notEquals\": \"Predefined\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyName\",\n \"notIn\": \"[[parameters('predefinedPolicyName')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#119": "{\n \"name\": \"Deny-AppService-without-BYOC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"App Service certificates must be stored in Key Vault\",\n \"description\": \"App Service (including Logic apps and Function apps) must use certificates stored in Key Vault\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/certificates\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultId\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultSecretName\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#12": "{\n \"name\": \"Deny-AppServiceWebApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"app*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#120": "{\n \"name\": \"Deny-AzFw-Without-Policy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Azure Firewall should have a default Firewall Policy\",\n \"description\": \"This policy denies the creation of Azure Firewall without a default Firewall Policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n {\n \"field\": \"Microsoft.Network/azureFirewalls/firewallPolicy.id\",\n \"exists\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#121": "{\n \"name\": \"Deny-CognitiveServices-NetworkAcls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACLs should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#122": "{\n \"name\": \"Deny-CognitiveServices-Resource-Kinds\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Only explicit kinds for Cognitive Services should be allowed\",\n \"description\": \"Azure Cognitive Services should only create explicit allowed kinds.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedKinds\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Select the allowed resource kinds to be used with Cognitive Services\"\n },\n \"allowedValues\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ],\n \"defaultValue\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"field\": \"kind\",\n \"notIn\": \"[[parameters('allowedKinds')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#123": "{\n \"name\": \"Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Outbound network access should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#124": "{\n \"name\": \"Deny-EH-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces should use a valid TLS version\",\n \"description\": \"Event Hub namespaces should use a valid TLS version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Minimum TLS Version\",\n \"description\": \"Minimum TLS version to be used by Event Hub\"\n },\n \"defaultValue\": \"1.2\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#125": "{\n \"name\": \"Deny-EH-Premium-CMK\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption\",\n \"description\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/sku.name\",\n \"equals\": \"Premium\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.EventHub/namespaces/encryption.keySource\",\n \"equals\": \"Microsoft.Keyvault\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#126": "{\n \"name\": \"Deny-LogicApp-Public-Network\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic apps should disable public network access\",\n \"description\": \"Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#127": "{\n \"name\": \"Deny-LogicApps-Without-Https\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic app should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#128": "{\n \"name\": \"Deny-Service-Endpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny or Audit service endpoints on subnets\",\n \"description\": \"This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service\",\n \"exists\": true\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#129": "{\n \"name\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should use a container delete retention policy\",\n \"description\": \"Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Container Delete Retention in Days\",\n \"description\": \"Specifies the minimum number of days for the container delete retention policy\"\n },\n \"defaultValue\": 7\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"notEquals\": true\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days\",\n \"less\": \"[[parameters('minContainerDeleteRetentionInDays')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#13": "{\n \"name\": \"Deny-MySql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL database servers enforce SSL connections.\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#130": "{\n \"name\": \"Deny-Storage-CopyScope\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Allowed Copy scope should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedCopyScope\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Allowed Copy Scope\",\n \"description\": \"Specify the allowed copy scope.\"\n },\n \"allowedValues\": [\n \"AAD\",\n \"PrivateLink\"\n ],\n \"defaultValue\": \"AAD\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"notEquals\": \"[[parameters('allowedCopyScope')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#131": "{\n \"name\": \"Deny-Storage-CorsRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should restrict CORS rules\",\n \"description\": \"Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/tableServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/queueServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#132": "{\n \"name\": \"Deny-Storage-LocalUser\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Local users should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#133": "{\n \"name\": \"Deny-Storage-NetworkAclsBypass\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACL bypass option should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedBypassOptions\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed Bypass Options\",\n \"description\": \"Specifies which options are allowed to bypass the vnet configuration\"\n },\n \"allowedValues\": [\n \"None\",\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ],\n \"defaultValue\": [\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"notIn\": \"[[parameters('allowedBypassOptions')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#134": "{\n \"name\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Virtual network rules should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#135": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules resource IDs should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\",\n \"where\": {\n \"value\": \"[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]\",\n \"equals\": \"*\"\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#136": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules Tenants should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId\",\n \"notEquals\": \"[[subscription().tenantId]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#137": "{\n \"name\": \"Deny-Storage-ServicesEncryption\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Encryption for storage services should be enforced for Storage Accounts\",\n \"description\": \"Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#138": "{\n \"name\": \"Deploy-LogicApp-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Logic apps to use the latest TLS version\",\n \"description\": \"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"web\",\n \"existenceCondition\": {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"equals\": \"1.2\"\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"siteName\": {\n \"value\": \"[[field('name')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"siteName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/config\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('siteName'), '/web')]\",\n \"properties\": {\n \"minTlsVersion\": \"1.2\"\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#139": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#146": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#147": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#157": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#158": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#159": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#160": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#161": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#162": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#163": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#164": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#165": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#166": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#167": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#168": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#169": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#17": "{\n \"name\": \"Deny-PublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/publicIPAddresses\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#18": "{\n \"name\": \"Deny-RDP-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"3389\"\n },\n {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n \"equals\": \"true\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"3389\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#19": "{\n \"name\": \"Deny-MgmtPorts-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Management port access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.\",\n \"metadata\": {\n \"version\": \"2.1.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ports\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#2": "{\n \"name\": \"Append-KV-SoftDelete\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"KeyVault SoftDelete should be enabled\",\n \"description\": \"This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"append\",\n \"details\": [\n {\n \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n \"value\": true\n }\n ]\n }\n }\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Deny-Subnet-Without-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a User Defined Route\",\n \"description\": \"This policy denies the creation of a subnet without a User Defined Route (UDR).\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/routeTable.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#21": "{\n \"name\": \"Deny-VNET-Peer-Cross-Sub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering cross subscription.\",\n \"description\": \"This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"notcontains\": \"[[subscription().id]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#22": "{\n \"name\": \"Deny-VNET-Peering-To-Non-Approved-VNETs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering to non-approved vNets\",\n \"description\": \"This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed vNets to peer with\",\n \"description\": \"Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}\"\n },\n \"defaultValue\": []\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"exists\": false\n }\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#23": "{\n \"name\": \"Deny-VNet-Peering\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering \",\n \"description\": \"This policy denies the creation of vNet Peerings under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#24": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Azure Security Center contact details\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/alertNotifications.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Security/securityContacts\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/alertNotifications\",\n \"equals\": \"On\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/alertsToAdmins\",\n \"equals\": \"On\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2020-01-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"alertNotifications\": {\n \"state\": \"On\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#25": "{\n \"name\": \"Deploy-Custom-Route-Table\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a route table with specific user defined routes\",\n \"description\": \"Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"requiredRoutes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"requiredRoutes\",\n \"description\": \"Routes that must exist in compliant route tables deployed by this policy\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vnetRegion\",\n \"description\": \"Only VNets in this region will be evaluated against this policy\"\n }\n },\n \"routeTableName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"routeTableName\",\n \"description\": \"Name of the route table automatically deployed by this policy\"\n }\n },\n \"disableBgpPropagation\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"DisableBgpPropagation\",\n \"description\": \"Disable BGP Propagation\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('routeTableName')]\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"value\": \"[[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\",\n \"in\": \"[[parameters('requiredRoutes')]\"\n }\n },\n \"equals\": \"[[length(parameters('requiredRoutes'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {\n \"copyLoop\": [\n {\n \"name\": \"routes\",\n \"count\": \"[[[length(parameters('requiredRoutes'))]\",\n \"input\": {\n \"name\": \"[[[concat('route-',copyIndex('routes'))]\",\n \"properties\": {\n \"addressPrefix\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\n \"nextHopType\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\",\n \"nextHopIpAddress\": \"[[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\"\n }\n }\n }\n ]\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"routeTableDepl\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[[parameters('routeTableName')]\",\n \"location\": \"[[[parameters('vnetRegion')]\",\n \"properties\": {\n \"disableBgpRoutePropagation\": \"[[[parameters('disableBgpPropagation')]\",\n \"copy\": \"[[variables('copyLoop')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#26": "{\n \"name\": \"Deploy-DDoSProtection\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy an Azure DDoS Network Protection\",\n \"description\": \"Deploys an Azure DDoS Network Protection\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ddosName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosName\",\n \"description\": \"DDoSVnet\"\n }\n },\n \"ddosRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosRegion\",\n \"description\": \"DDoSVnet location\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"name\": \"[[parameters('ddosName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"ddosname\": {\n \"value\": \"[[parameters('ddosname')]\"\n },\n \"ddosregion\": {\n \"value\": \"[[parameters('ddosRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"ddosname\": {\n \"type\": \"String\"\n },\n \"ddosRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"ddosprotection\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"apiVersion\": \"2019-12-01\",\n \"name\": \"[[parameters('ddosName')]\",\n \"location\": \"[[parameters('ddosRegion')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#27": "{\n \"name\": \"Deploy-Diagnostics-AA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Automation/automationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"JobLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DscNodeStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AuditEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#28": "{\n \"name\": \"Deploy-Diagnostics-ACI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerInstance/containerGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#29": "{\n \"name\": \"Deploy-Diagnostics-ACR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerRegistry/registries\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ContainerRegistryLoginEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ContainerRegistryRepositoryEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#3": "{\n \"name\": \"Append-Redis-disableNonSslPort\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.\",\n \"description\": \"Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\",\n \"Modify\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"value\": false\n }\n ]\n }\n }\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Deploy-Diagnostics-AnalysisService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.AnalysisServices/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Service\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#31": "{\n \"name\": \"Deploy-Diagnostics-ApiForFHIR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HealthcareApis/services\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HealthcareApis/services/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#32": "{\n \"name\": \"Deploy-Diagnostics-APIMgmt\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ApiManagement/service/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"WebSocketConnectionLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#33": "{\n \"name\": \"Deploy-Diagnostics-ApplicationGateway\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/applicationGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ApplicationGatewayAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayPerformanceLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#34": "{\n \"name\": \"Deploy-Diagnostics-Bastion\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/bastionHosts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/bastionHosts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"BastionAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#35": "{\n \"name\": \"Deploy-Diagnostics-CDNEndpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cdn/profiles/endpoints\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"CoreAnalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#36": "{\n \"name\": \"Deploy-Diagnostics-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RequestResponse\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Trace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#37": "{\n \"name\": \"Deploy-Diagnostics-CosmosDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DocumentDB/databaseAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MongoRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyRUConsumption\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ControlPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"CassandraRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"GremlinRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#38": "{\n \"name\": \"Deploy-Diagnostics-Databricks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Databricks/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"dbfs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusters\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"accounts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"jobs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"notebook\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ssh\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"workspace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"secrets\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlPermissions\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"instancePools\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlanalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"genie\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"globalInitScripts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"iamRole\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowExperiment\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"featureStore\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RemoteHistoryService\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowAcledArtifact\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"databrickssql\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"deltaPipelines\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"modelRegistry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"repos\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"unityCatalog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"gitCredentials\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"webTerminal\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"serverlessRealTimeInference\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusterLibraries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"partnerHub\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clamAVScan\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"capsule8Dataplane\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#39": "{\n \"name\": \"Deploy-Diagnostics-DataExplorerCluster\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Kusto/Clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Kusto/Clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"SucceededIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FailedIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IngestionBatching\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Command\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Query\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableUsageStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableDetails\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#20": "{\n \"name\": \"Deny-Redis-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis only secure connections should be enabled\",\n \"description\": \"Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select minumum TLS version for Azure Cache for Redis.\",\n \"description\": \"Select minimum TLS version for Azure Cache for Redis.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#21": "{\n \"name\": \"Deny-Sql-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure SQL Database should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#22": "{\n \"name\": \"Deny-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#23": "{\n \"name\": \"Deny-Storage-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"less\": \"2019-04-01\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"exists\": \"false\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#24": "{\n \"name\": \"Deny-Storage-SFTP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Storage Accounts with SFTP enabled should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isSftpEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#25": "{\n \"name\": \"Deny-Subnet-Without-Nsg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a Network Security Group\",\n \"description\": \"This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#26": "{\n \"name\": \"Deny-Subnet-Without-Penp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets without Private Endpoint Network Policies enabled should be denied\",\n \"description\": \"This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\",\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#27": "{\n \"name\": \"Deny-Subnet-Without-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a User Defined Route\",\n \"description\": \"This policy denies the creation of a subnet without a User Defined Route (UDR).\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/routeTable.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#28": "{\n \"name\": \"Deny-UDR-With-Specific-NextHop\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied\",\n \"description\": \"This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedDestinations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Destinations\",\n \"description\": \"Array of route destinations that are to be denied\"\n },\n \"defaultValue\": [\n \"Internet\", \n \"VirtualNetworkGateway\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/routeTables\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopType\",\n \"in\": \"[[parameters('excludedDestinations')]\"\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables/routes\"\n },\n {\n \"field\": \"Microsoft.Network/routeTables/routes/nextHopType\",\n \"in\": \"[[parameters('excludedDestinations')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#29": "{\n \"name\": \"Deny-VNET-Peer-Cross-Sub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering cross subscription.\",\n \"description\": \"This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"notcontains\": \"[[subscription().id]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#3": "{\n \"name\": \"Append-Redis-disableNonSslPort\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.\",\n \"description\": \"Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"value\": false\n }\n ]\n }\n }\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Deny-VNET-Peering-To-Non-Approved-VNETs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering to non-approved vNets\",\n \"description\": \"This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed vNets to peer with\",\n \"description\": \"Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}\"\n },\n \"defaultValue\": []\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"exists\": false\n }\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#31": "{\n \"name\": \"Deny-VNet-Peering\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering \",\n \"description\": \"This policy denies the creation of vNet Peerings under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#32": "{\n \"name\": \"Deny-StorageAccount-CustomDomain\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts with custom domains assigned should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/customDomain\",\n \"exists\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/customDomain.useSubDomainName\",\n \"equals\": \"true\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#33": "{\n \"name\": \"Deny-FileServices-InsecureKerberos\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure Kerberos ticket encryption should be denied\",\n \"description\": \"This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedKerberosTicketEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"RC4-HMAC\",\n \"allowedValues\": [\n \"RC4-HMAC\",\n \"AES-256\"\n ],\n \"metadata\": {\n \"displayName\": \"Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.\",\n \"description\": \"The list of kerberosTicketEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.kerberosTicketEncryption\",\n \"contains\": \"[[parameters('notAllowedKerberosTicketEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#34": "{\n \"name\": \"Deny-FileServices-InsecureSmbChannel\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB channel encryption should be denied\",\n \"description\": \"This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedChannelEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"AES-128-CCM\",\n \"allowedValues\": [\n \"AES-128-CCM\",\n \"AES-128-GCM\",\n \"AES-256-GCM\"\n ],\n \"metadata\": {\n \"displayName\": \"SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption\",\n \"contains\": \"[[parameters('notAllowedChannelEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#35": "{\n \"name\": \"Deny-FileServices-InsecureSmbVersions\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB versions should be denied\",\n \"description\": \"This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"allowedSmbVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"SMB3.1.1\",\n \"allowedValues\": [\n \"SMB2.1\",\n \"SMB3.0\",\n \"SMB3.1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Allowed SMB Version\",\n \"description\": \"The allowed SMB version for maximum security\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"not\":\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions\",\n \"contains\": \"[[parameters('allowedSmbVersion')]\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#36": "{\n \"name\": \"Deny-FileServices-InsecureAuth\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure authentication methods should be denied\",\n \"description\": \"This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedAuthMethods\": {\n \"type\": \"String\",\n \"defaultValue\": \"NTLMv2\",\n \"allowedValues\": [\n \"NTLMv2\",\n \"Kerberos\"\n ],\n \"metadata\": {\n \"displayName\": \"Authentication methods supported by server. Valid values are NTLMv2, Kerberos.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods\",\n \"contains\": \"[[parameters('notAllowedAuthMethods')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#37": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#38": "{\n \"name\": \"Deploy-Custom-Route-Table\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a route table with specific user defined routes\",\n \"description\": \"Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"requiredRoutes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"requiredRoutes\",\n \"description\": \"Routes that must exist in compliant route tables deployed by this policy\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vnetRegion\",\n \"description\": \"Only VNets in this region will be evaluated against this policy\"\n }\n },\n \"routeTableName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"routeTableName\",\n \"description\": \"Name of the route table automatically deployed by this policy\"\n }\n },\n \"disableBgpPropagation\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"DisableBgpPropagation\",\n \"description\": \"Disable BGP Propagation\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('routeTableName')]\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"value\": \"[[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\",\n \"in\": \"[[parameters('requiredRoutes')]\"\n }\n },\n \"equals\": \"[[length(parameters('requiredRoutes'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {\n \"copyLoop\": [\n {\n \"name\": \"routes\",\n \"count\": \"[[[length(parameters('requiredRoutes'))]\",\n \"input\": {\n \"name\": \"[[[concat('route-',copyIndex('routes'))]\",\n \"properties\": {\n \"addressPrefix\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\n \"nextHopType\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\",\n \"nextHopIpAddress\": \"[[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\"\n }\n }\n }\n ]\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"routeTableDepl\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[[parameters('routeTableName')]\",\n \"location\": \"[[[parameters('vnetRegion')]\",\n \"properties\": {\n \"disableBgpRoutePropagation\": \"[[[parameters('disableBgpPropagation')]\",\n \"copy\": \"[[variables('copyLoop')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#39": "{\n \"name\": \"Deploy-DDoSProtection\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy an Azure DDoS Network Protection\",\n \"description\": \"Deploys an Azure DDoS Network Protection\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ddosName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosName\",\n \"description\": \"DDoSVnet\"\n }\n },\n \"ddosRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosRegion\",\n \"description\": \"DDoSVnet location\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"name\": \"[[parameters('ddosName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"ddosname\": {\n \"value\": \"[[parameters('ddosname')]\"\n },\n \"ddosregion\": {\n \"value\": \"[[parameters('ddosRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"ddosname\": {\n \"type\": \"String\"\n },\n \"ddosRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"ddosprotection\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"apiVersion\": \"2019-12-01\",\n \"name\": \"[[parameters('ddosName')]\",\n \"location\": \"[[parameters('ddosRegion')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#4": "{\n \"name\": \"Append-Redis-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.\",\n \"description\": \"Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for Redis server\",\n \"description\": \"Select version minimum TLS version Azure Cache for Redis to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", - "$fxv#40": "{\n \"name\": \"Deploy-Diagnostics-DataFactory\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataFactory/factories\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataFactory/factories/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TriggerRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessages\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutableStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessageContext\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionComponentPhases\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionDataStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISIntegrationRuntimeLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxPipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#41": "{\n \"name\": \"Deploy-Diagnostics-DLAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataLakeAnalytics/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#42": "{\n \"name\": \"Deploy-Diagnostics-EventGridSub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/eventSubscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#43": "{\n \"name\": \"Deploy-Diagnostics-EventGridSystemTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/systemTopics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#44": "{\n \"name\": \"Deploy-Diagnostics-EventGridTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/topics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/topics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PublishFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#45": "{\n \"name\": \"Deploy-Diagnostics-ExpressRoute\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/expressRouteCircuits\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PeeringRouteLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-Firewall\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AzureFirewallApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallDnsProxy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWThreatIntel\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWIdpsSignature\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWDnsQuery\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFqdnResolveFailure\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFatFlow\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFlowTrace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-FrontDoor\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/frontDoors\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/frontDoors/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FrontdoorAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FrontdoorWebApplicationFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#48": "{\n \"name\": \"Deploy-Diagnostics-Function\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"contains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FunctionAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#49": "{\n \"name\": \"Deploy-Diagnostics-HDInsight\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HDInsight/clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HDInsight/clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#5": "{\n \"name\": \"Deny-AppGW-Without-WAF\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Application Gateway should be deployed with WAF enabled\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with WAF enabled\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sku.name\",\n \"notequals\": \"WAF_v2\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#50": "{\n \"name\": \"Deploy-Diagnostics-iotHub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Devices/IotHubs\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Devices/IotHubs/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Connections\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceTelemetry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DCommands\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceIdentityOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FileUploadOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Routes\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"D2CTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TwinQueries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobsOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DirectMethods\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DistributedTracing\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Configurations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#51": "{\n \"name\": \"Deploy-Diagnostics-LoadBalancer\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/loadBalancers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/loadBalancers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"LoadBalancerAlertEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"LoadBalancerProbeHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"microsoft.operationalinsights/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"microsoft.operationalinsights/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#53": "{\n \"name\": \"Deploy-Diagnostics-LogicAppsISE\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Logic/integrationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"IntegrationAccountTrackingEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#54": "{\n \"name\": \"Deploy-Diagnostics-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#55": "{\n \"name\": \"Deploy-Diagnostics-MediaService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Media/mediaServices\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Media/mediaServices/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"KeyDeliveryRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#56": "{\n \"name\": \"Deploy-Diagnostics-MlWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"AmlComputeClusterEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeClusterNodeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeJobEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeCpuGpuUtilization\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlRunStatusChangedEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsActionEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ComputeInstanceEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#57": "{\n \"name\": \"Deploy-Diagnostics-MySQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-NetworkSecurityGroups\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"NetworkSecurityGroupEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkSecurityGroupRuleCounter\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-NIC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkInterfaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#6": "{\n \"name\": \"Deny-AppServiceApiApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"API App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"*api\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/flexibleServers\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"resourceType\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreWaitStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceType\": {\n \"value\": \"[[field('type')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#61": "{\n \"name\": \"Deploy-Diagnostics-PowerBIEmbedded\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.PowerBIDedicated/capacities\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#62": "{\n \"name\": \"Deploy-Diagnostics-RedisCache\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cache/redis/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#63": "{\n \"name\": \"Deploy-Diagnostics-Relay\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Relay/namespaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Relay/namespaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"HybridConnectionsEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#64": "{\n \"name\": \"Deploy-Diagnostics-SignalR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.SignalRService/SignalR\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AllLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#65": "{\n \"name\": \"Deploy-Diagnostics-SQLElasticPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/elasticPools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#66": "{\n \"name\": \"Deploy-Diagnostics-SQLMI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"ResourceUsageStats\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SQLSecurityAuditEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DevOpsOperationsAudit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#67": "{\n \"name\": \"Deploy-Diagnostics-TimeSeriesInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.TimeSeriesInsights/environments\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Ingress\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#68": "{\n \"name\": \"Deploy-Diagnostics-TrafficManager\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/trafficManagerProfiles\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ProbeHealthStatusEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#69": "{\n \"name\": \"Deploy-Diagnostics-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"VMProtectionAlerts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#7": "{\n \"name\": \"Deny-AppServiceFunctionApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Function App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"functionapp*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#70": "{\n \"name\": \"Deploy-Diagnostics-VM\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#71": "{\n \"name\": \"Deploy-Diagnostics-VMSS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachineScaleSets\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#72": "{\n \"name\": \"Deploy-Diagnostics-VNetGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworkGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"P2SDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#73": "{\n \"name\": \"Deploy-Diagnostics-WebServerFarm\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/serverfarms\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/serverfarms/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#74": "{\n \"name\": \"Deploy-Diagnostics-Website\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"notContains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"[[parameters('metricsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n },\n \"serverFarmId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"logs\": {\n \"premiumTierLogs\": [\n {\n \"category\": \"AppServiceAntivirusScanAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceFileAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"otherTierLogs\": [ \n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": \"[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]\"\n }\n }\n ],\n \"outputs\": {\n \"policy\": {\n \"type\": \"string\",\n \"value\": \"[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]\"\n }\n }\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n },\n \"serverFarmId\": {\n \"value\": \"[[field('Microsoft.Web/sites/serverFarmId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#75": "{\n \"name\": \"Deploy-Diagnostics-WVDAppGroup\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/applicationGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#76": "{\n \"name\": \"Deploy-Diagnostics-WVDHostPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/hostpools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Connection\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"HostRegistration\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AgentHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SessionHostManagement\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#77": "{\n \"name\": \"Deploy-Diagnostics-WVDWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Feed\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#78": "{\n \"name\": \"Deploy-FirewallPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Azure Firewall Manager policy in the subscription\",\n \"description\": \"Deploys Azure Firewall Manager policy in subscription where the policy is assigned.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"fwpolicy\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"fwpolicy\",\n \"description\": \"Object describing Azure Firewall Policy\"\n },\n \"defaultValue\": {}\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"fwPolicyRegion\",\n \"description\": \"Select Azure region for Azure Firewall Policy\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"fwPolicy\": {\n \"value\": \"[[parameters('fwPolicy')]\"\n },\n \"fwPolicyRegion\": {\n \"value\": \"[[parameters('fwPolicyRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"fwPolicy\": {\n \"type\": \"object\"\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"fwpolicies\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').firewallPolicyName]\",\n \"location\": \"[[parameters('fwpolicy').location]\",\n \"dependsOn\": [],\n \"tags\": {},\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"ruleGroups\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').ruleGroups.name]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"\n ],\n \"properties\": {\n \"priority\": \"[[parameters('fwpolicy').ruleGroups.properties.priority]\",\n \"rules\": \"[[parameters('fwpolicy').ruleGroups.properties.rules]\"\n }\n }\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#79": "{\n \"name\": \"Deploy-MySQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#8": "{\n \"name\": \"Deny-AppServiceWebApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"app*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#80": "{\n \"name\": \"Deploy-Nsg-FlowLogs-to-LA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"interval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"workspace\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowlogs\",\n \"name\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"existenceScope\": \"resourceGroup\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\n \"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\n \"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"resourceGroupName\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\n \"deploymentScope\": \"subscription\",\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"networkSecurityGroup\": {\n \"value\": \"[[field('id')]\"\n },\n \"workspace\": {\n \"value\": \"[[parameters('workspace')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"interval\": {\n \"value\": \"[[parameters('interval')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"networkSecurityGroup\": {\n \"type\": \"String\"\n },\n \"workspace\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"interval\": {\n \"type\": \"int\"\n },\n \"time\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[utcNow()]\"\n }\n },\n \"variables\": {\n \"resourceGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[4]]\",\n \"securityGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[8]]\",\n \"storageAccountName\": \"[[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"[[variables('resourceGroupName')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[variables('storageAccountName')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"kind\": \"StorageV2\",\n \"sku\": {\n \"name\": \"Standard_LRS\",\n \"tier\": \"Standard\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"NetworkWatcherRG\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"flowLogs\",\n \"apiVersion\": \"2019-11-01\",\n \"name\": \"[[concat(variables('securityGroupName'), '-Network-flowlog')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"enabled\": true,\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"retentionPolicy\": {\n \"days\": \"[[parameters('retention')]\",\n \"enabled\": true\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": true,\n \"trafficAnalyticsInterval\": \"[[parameters('interval')]\",\n \"workspaceResourceId\": \"[[parameters('workspace')]\"\n }\n },\n \"storageId\": \"[[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\n \"targetResourceId\": \"[[parameters('networkSecurityGroup')]\"\n },\n \"dependsOn\": [\n \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\"\n ]\n }\n ]\n }\n ]\n }\n },\n \"dependsOn\": [\n \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#81": "{\n \"name\": \"Deploy-Nsg-FlowLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Storage Account Resource Id\",\n \"strongType\": \"Microsoft.Storage/storageAccounts\"\n }\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable Traffic Analytics\"\n },\n \"defaultValue\": false\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"resourceGroupName\": \"NetworkWatcherRG\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\",\n \"equals\": \"[[parameters('flowAnalyticsEnabled')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceGroupName\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"storageAccountResourceId\": {\n \"value\": \"[[parameters('storageAccountResourceId')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"flowAnalyticsEnabled\": {\n \"value\": \"[[parameters('flowAnalyticsEnabled')]\"\n },\n \"trafficAnalyticsInterval\": {\n \"value\": \"[[parameters('trafficAnalyticsInterval')]\"\n },\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"type\": \"String\"\n },\n \"resourceGroupName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"bool\"\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"int\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"targetResourceId\": \"[[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\",\n \"storageId\": \"[[parameters('storageAccountResourceId')]\",\n \"enabled\": true,\n \"retentionPolicy\": {\n \"enabled\": true,\n \"days\": \"[[parameters('retention')]\"\n },\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": \"[[bool(parameters('flowAnalyticsEnabled'))]\",\n \"trafficAnalyticsInterval\": \"[[parameters('trafficAnalyticsInterval')]\",\n \"workspaceId\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\n \"workspaceRegion\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\n \"workspaceResourceId\": \"[[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#82": "{\n \"name\": \"Deploy-PostgreSQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Database for PostgreSQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notEquals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#83": "{\n \"name\": \"Deploy-Sql-AuditingSettings\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"name\": \"default\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/state\",\n \"equals\": \"enabled\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"state\": \"enabled\",\n \"auditActionsAndGroups\": [\n \"BATCH_COMPLETED_GROUP\",\n \"DATABASE_OBJECT_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_CHANGE_GROUP\",\n \"BACKUP_RESTORE_GROUP\",\n \"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_PRINCIPAL_CHANGE_GROUP\",\n \"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\n \"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\n \"USER_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\n \"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"DATABASE_PERMISSION_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n \"FAILED_DATABASE_AUTHENTICATION_GROUP\"\n ],\n \"isAzureMonitorTargetEnabled\": true\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#84": "{\n \"name\": \"Deploy-SQL-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL servers deploys a specific min TLS version requirement.\",\n \"description\": \"Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers\",\n \"apiVersion\": \"2019-06-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#85": "{\n \"name\": \"Deploy-Sql-SecurityAlertPolicies\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"emailAddresses\":{\n \"type\":\"Array\",\n \"defaultValue\":[\n \"admin@contoso.com\",\n \"admin@fabrikam.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/securityAlertPolicies/state\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"emailAddresses\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"apiVersion\": \"2018-06-01-preview\",\n \"properties\": {\n \"state\": \"Enabled\",\n \"disabledAlerts\": [\n \"\"\n ],\n \"emailAddresses\": \"[[parameters('emailAddresses')]\",\n \"emailAccountAdmins\": true,\n \"storageEndpoint\": null,\n \"storageAccountAccessKey\": \"\",\n \"retentionDays\": 0\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"emailAddresses\":{\n \"value\": \"[[parameters('emailAddresses')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#86": "{\n \"name\": \"Deploy-Sql-Tde\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption\",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedDatabases\": {\n \"type\": \"Array\",\n \"metadata\":{\n \"displayName\": \"Excluded Databases\",\n \"description\": \"Array of databases that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"master\",\n \"model\",\n \"tempdb\",\n \"msdb\",\n \"resource\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedDatabases')]\"\n\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/transparentDataEncryption.status\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"apiVersion\": \"2014-04-01\",\n \"properties\": {\n \"status\": \"Enabled\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}", - "$fxv#87": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\",\n \"displayName\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\",\n \"equals\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": [\n \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n ]\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#88": "{\n \"name\": \"Deploy-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL managed instances deploy a specific min TLS version requirement.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"apiVersion\": \"2020-02-02-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#89": "{\n \"name\": \"Deploy-Storage-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Storage\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure STorage\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select TLS version for Azure Storage server\",\n \"description\": \"Select version minimum TLS version Azure STorage to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"notEquals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notEquals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"equals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"supportsHttpsTrafficOnly\": true,\n \"minimumTlsVersion\": \"[[parameters('minimumTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#9": "{\n \"name\": \"Deny-MySql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL database servers enforce SSL connections.\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#90": "{\n \"name\": \"Deploy-VNET-HubSpoke\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Virtual Network with peering to the hub\",\n \"description\": \"This policy deploys virtual network and peer to the hub\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vNetName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetName\",\n \"description\": \"Name of the landing zone vNet\"\n }\n },\n \"vNetRgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetRgName\",\n \"description\": \"Name of the landing zone vNet RG\"\n }\n },\n \"vNetLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetLocation\",\n \"description\": \"Location for the vNet\"\n }\n },\n \"vNetCidrRange\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetCidrRange\",\n \"description\": \"CIDR Range for the vNet\"\n }\n },\n \"hubResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"hubResourceId\",\n \"description\": \"Resource ID for the HUB vNet\"\n }\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"DNSServers\",\n \"description\": \"Default domain servers for the vNET.\"\n },\n \"defaultValue\": []\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"vNetPeerUseRemoteGateway\",\n \"description\": \"Enable gateway transit for the LZ network\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"name\": \"[[parameters('vNetName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"ResourceGroupName\": \"[[parameters('vNetRgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('vNetName')]\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vNetLocation')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vNetRgName\": {\n \"value\": \"[[parameters('vNetRgName')]\"\n },\n \"vNetName\": {\n \"value\": \"[[parameters('vNetName')]\"\n },\n \"vNetLocation\": {\n \"value\": \"[[parameters('vNetLocation')]\"\n },\n \"vNetCidrRange\": {\n \"value\": \"[[parameters('vNetCidrRange')]\"\n },\n \"hubResourceId\": {\n \"value\": \"[[parameters('hubResourceId')]\"\n },\n \"dnsServers\": {\n \"value\": \"[[parameters('dnsServers')]\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"value\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vNetRgName\": {\n \"type\": \"String\"\n },\n \"vNetName\": {\n \"type\": \"String\"\n },\n \"vNetLocation\": {\n \"type\": \"String\"\n },\n \"vNetCidrRange\": {\n \"type\": \"String\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"bool\",\n \"defaultValue\": false\n },\n \"hubResourceId\": {\n \"type\": \"String\"\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"defaultValue\": []\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('vNetRgName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"dependsOn\": [\n \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[parameters('vNetName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"addressSpace\": {\n \"addressPrefixes\": [\n \"[[parameters('vNetCidrRange')]\"\n ]\n },\n \"dhcpOptions\": {\n \"dnsServers\": \"[[parameters('dnsServers')]\"\n }\n }\n },\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('vNetName'), '/peerToHub')]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"remoteVirtualNetwork\": {\n \"id\": \"[[parameters('hubResourceId')]\"\n },\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": false,\n \"useRemoteGateways\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"subscriptionId\": \"[[split(parameters('hubResourceId'),'/')[2]]\",\n \"resourceGroup\": \"[[split(parameters('hubResourceId'),'/')[4]]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"type\": \"String\",\n \"defaultValue\": false\n },\n \"hubName\": {\n \"type\": \"String\",\n \"defaultValue\": false\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"name\": \"[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\n \"apiVersion\": \"2021-02-01\",\n \"properties\": {\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": true,\n \"useRemoteGateways\": false,\n \"remoteVirtualNetwork\": {\n \"id\": \"[[[parameters('remoteVirtualNetwork')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"value\": \"[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"\n },\n \"hubName\": {\n \"value\": \"[[split(parameters('hubResourceId'),'/')[8]]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n },\n \"resourceGroup\": \"[[parameters('vNetRgName')]\"\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#91": "{\n \"name\": \"Deploy-Windows-DomainJoin\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Windows Domain Join Extension with keyvault configuration\",\n \"description\": \"Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"domainUsername\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainUsername\"\n }\n },\n \"domainPassword\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainPassword\"\n }\n },\n \"domainFQDN\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainFQDN\"\n }\n },\n \"domainOUPath\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainOUPath\"\n }\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"keyVaultResourceId\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"MicrosoftWindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageOffer\",\n \"equals\": \"WindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"in\": [\n \"2008-R2-SP1\",\n \"2008-R2-SP1-smalldisk\",\n \"2008-R2-SP1-zhcn\",\n \"2012-Datacenter\",\n \"2012-datacenter-gensecond\",\n \"2012-Datacenter-smalldisk\",\n \"2012-datacenter-smalldisk-g2\",\n \"2012-Datacenter-zhcn\",\n \"2012-datacenter-zhcn-g2\",\n \"2012-R2-Datacenter\",\n \"2012-r2-datacenter-gensecond\",\n \"2012-R2-Datacenter-smalldisk\",\n \"2012-r2-datacenter-smalldisk-g2\",\n \"2012-R2-Datacenter-zhcn\",\n \"2012-r2-datacenter-zhcn-g2\",\n \"2016-Datacenter\",\n \"2016-datacenter-gensecond\",\n \"2016-datacenter-gs\",\n \"2016-Datacenter-Server-Core\",\n \"2016-datacenter-server-core-g2\",\n \"2016-Datacenter-Server-Core-smalldisk\",\n \"2016-datacenter-server-core-smalldisk-g2\",\n \"2016-Datacenter-smalldisk\",\n \"2016-datacenter-smalldisk-g2\",\n \"2016-Datacenter-with-Containers\",\n \"2016-datacenter-with-containers-g2\",\n \"2016-Datacenter-with-RDSH\",\n \"2016-Datacenter-zhcn\",\n \"2016-datacenter-zhcn-g2\",\n \"2019-Datacenter\",\n \"2019-Datacenter-Core\",\n \"2019-datacenter-core-g2\",\n \"2019-Datacenter-Core-smalldisk\",\n \"2019-datacenter-core-smalldisk-g2\",\n \"2019-Datacenter-Core-with-Containers\",\n \"2019-datacenter-core-with-containers-g2\",\n \"2019-Datacenter-Core-with-Containers-smalldisk\",\n \"2019-datacenter-core-with-containers-smalldisk-g2\",\n \"2019-datacenter-gensecond\",\n \"2019-datacenter-gs\",\n \"2019-Datacenter-smalldisk\",\n \"2019-datacenter-smalldisk-g2\",\n \"2019-Datacenter-with-Containers\",\n \"2019-datacenter-with-containers-g2\",\n \"2019-Datacenter-with-Containers-smalldisk\",\n \"2019-datacenter-with-containers-smalldisk-g2\",\n \"2019-Datacenter-zhcn\",\n \"2019-datacenter-zhcn-g2\",\n \"Datacenter-Core-1803-with-Containers-smalldisk\",\n \"datacenter-core-1803-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1809-with-Containers-smalldisk\",\n \"datacenter-core-1809-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1903-with-Containers-smalldisk\",\n \"datacenter-core-1903-with-containers-smalldisk-g2\",\n \"datacenter-core-1909-with-containers-smalldisk\",\n \"datacenter-core-1909-with-containers-smalldisk-g1\",\n \"datacenter-core-1909-with-containers-smalldisk-g2\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"JsonADDomainExtension\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Compute\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"domainUsername\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainUsername')]\"\n }\n },\n \"domainPassword\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainPassword')]\"\n }\n },\n \"domainOUPath\": {\n \"value\": \"[[parameters('domainOUPath')]\"\n },\n \"domainFQDN\": {\n \"value\": \"[[parameters('domainFQDN')]\"\n },\n \"keyVaultResourceId\": {\n \"value\": \"[[parameters('keyVaultResourceId')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"domainUsername\": {\n \"type\": \"String\"\n },\n \"domainPassword\": {\n \"type\": \"securestring\"\n },\n \"domainFQDN\": {\n \"type\": \"String\"\n },\n \"domainOUPath\": {\n \"type\": \"String\"\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"domainJoinOptions\": 3,\n \"vmName\": \"[[parameters('vmName')]\"\n },\n \"resources\": [\n {\n \"apiVersion\": \"2015-06-15\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(variables('vmName'),'/joindomain')]\",\n \"location\": \"[[resourceGroup().location]\",\n \"properties\": {\n \"publisher\": \"Microsoft.Compute\",\n \"type\": \"JsonADDomainExtension\",\n \"typeHandlerVersion\": \"1.3\",\n \"autoUpgradeMinorVersion\": true,\n \"settings\": {\n \"Name\": \"[[parameters('domainFQDN')]\",\n \"User\": \"[[parameters('domainUserName')]\",\n \"Restart\": \"true\",\n \"Options\": \"[[variables('domainJoinOptions')]\",\n \"OUPath\": \"[[parameters('domainOUPath')]\"\n },\n \"protectedSettings\": {\n \"Password\": \"[[parameters('domainPassword')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#92": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#93": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#94": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#95": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#96": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#97": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#98": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#99": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#40": "{\n \"name\": \"Deploy-Diagnostics-AA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Automation/automationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"JobLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DscNodeStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AuditEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#41": "{\n \"name\": \"Deploy-Diagnostics-ACI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerInstance/containerGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#42": "{\n \"name\": \"Deploy-Diagnostics-ACR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerRegistry/registries\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ContainerRegistryLoginEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ContainerRegistryRepositoryEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#43": "{\n \"name\": \"Deploy-Diagnostics-AnalysisService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.AnalysisServices/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Service\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#44": "{\n \"name\": \"Deploy-Diagnostics-ApiForFHIR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HealthcareApis/services\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HealthcareApis/services/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#45": "{\n \"name\": \"Deploy-Diagnostics-APIMgmt\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ApiManagement/service/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"WebSocketConnectionLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-ApplicationGateway\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/applicationGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ApplicationGatewayAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayPerformanceLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-Bastion\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/bastionHosts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/bastionHosts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"BastionAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#48": "{\n \"name\": \"Deploy-Diagnostics-CDNEndpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cdn/profiles/endpoints\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"CoreAnalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#49": "{\n \"name\": \"Deploy-Diagnostics-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RequestResponse\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Trace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#5": "{\n \"name\": \"Audit-Disks-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused Disks driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/disks\"\n },\n {\n \"field\": \"Microsoft.Compute/disks/diskState\",\n \"equals\": \"Unattached\"\n },\n {\n \"allof\": [\n {\n \"field\": \"name\",\n \"notlike\": \"*-ASRReplica\"\n },\n {\n \"field\": \"name\",\n \"notlike\": \"ms-asr-*\"\n },\n {\n \"field\": \"name\",\n \"notlike\": \"asrseeddisk-*\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#50": "{\n \"name\": \"Deploy-Diagnostics-CosmosDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DocumentDB/databaseAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MongoRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyRUConsumption\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ControlPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"CassandraRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"GremlinRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableApiRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#51": "{\n \"name\": \"Deploy-Diagnostics-Databricks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.3.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Databricks/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"dbfs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusters\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"accounts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"jobs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"notebook\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ssh\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"workspace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"secrets\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlPermissions\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"instancePools\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlanalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"genie\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"globalInitScripts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"iamRole\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowExperiment\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"featureStore\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RemoteHistoryService\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowAcledArtifact\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"databrickssql\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"deltaPipelines\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"modelRegistry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"repos\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"unityCatalog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"gitCredentials\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"webTerminal\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"serverlessRealTimeInference\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusterLibraries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"partnerHub\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clamAVScan\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"capsule8Dataplane\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-DataExplorerCluster\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Kusto/Clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Kusto/Clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"SucceededIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FailedIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IngestionBatching\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Command\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Query\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableUsageStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableDetails\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#53": "{\n \"name\": \"Deploy-Diagnostics-DataFactory\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataFactory/factories\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataFactory/factories/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TriggerRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessages\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutableStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessageContext\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionComponentPhases\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionDataStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISIntegrationRuntimeLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxPipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#54": "{\n \"name\": \"Deploy-Diagnostics-DLAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataLakeAnalytics/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#55": "{\n \"name\": \"Deploy-Diagnostics-EventGridSub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/eventSubscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#56": "{\n \"name\": \"Deploy-Diagnostics-EventGridSystemTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/systemTopics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#57": "{\n \"name\": \"Deploy-Diagnostics-EventGridTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/topics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/topics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PublishFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-ExpressRoute\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/expressRouteCircuits\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PeeringRouteLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-Firewall\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AzureFirewallApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallDnsProxy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWThreatIntel\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWIdpsSignature\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWDnsQuery\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFqdnResolveFailure\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFatFlow\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFlowTrace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused Public IP addresses driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"microsoft.network/publicIpAddresses\"\n },\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPAllocationMethod\",\n \"equals\": \"Static\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/natGateway\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/ipConfiguration\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPPrefix\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-FrontDoor\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/frontDoors\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/frontDoors/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FrontdoorAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FrontdoorWebApplicationFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#61": "{\n \"name\": \"Deploy-Diagnostics-Function\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"contains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FunctionAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#62": "{\n \"name\": \"Deploy-Diagnostics-HDInsight\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HDInsight/clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HDInsight/clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#63": "{\n \"name\": \"Deploy-Diagnostics-iotHub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Devices/IotHubs\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Devices/IotHubs/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Connections\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceTelemetry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DCommands\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceIdentityOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FileUploadOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Routes\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"D2CTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TwinQueries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobsOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DirectMethods\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DistributedTracing\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Configurations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#64": "{\n \"name\": \"Deploy-Diagnostics-LoadBalancer\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/loadBalancers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/loadBalancers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"LoadBalancerAlertEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"LoadBalancerProbeHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#65": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"microsoft.operationalinsights/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"microsoft.operationalinsights/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#66": "{\n \"name\": \"Deploy-Diagnostics-LogicAppsISE\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Logic/integrationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"IntegrationAccountTrackingEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#67": "{\n \"name\": \"Deploy-Diagnostics-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb\",\n \"metadata\": {\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#68": "{\n \"name\": \"Deploy-Diagnostics-MediaService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Media/mediaServices\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Media/mediaServices/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"KeyDeliveryRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#69": "{\n \"name\": \"Deploy-Diagnostics-MlWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"AmlComputeClusterEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeClusterNodeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeJobEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeCpuGpuUtilization\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlRunStatusChangedEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsActionEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ComputeInstanceEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#7": "{\n \"name\": \"Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused App Service plans driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/serverfarms\"\n },\n {\n \"field\": \"Microsoft.Web/serverFarms/sku.tier\",\n \"notEquals\": \"Free\"\n },\n {\n \"field\": \"Microsoft.Web/serverFarms/numberOfSites\",\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#70": "{\n \"name\": \"Deploy-Diagnostics-MySQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#71": "{\n \"name\": \"Deploy-Diagnostics-NetworkSecurityGroups\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"NetworkSecurityGroupEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkSecurityGroupRuleCounter\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#72": "{\n \"name\": \"Deploy-Diagnostics-NIC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkInterfaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#73": "{\n \"name\": \"Deploy-Diagnostics-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/flexibleServers\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"resourceType\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreWaitStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceType\": {\n \"value\": \"[[field('type')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#74": "{\n \"name\": \"Deploy-Diagnostics-PowerBIEmbedded\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.PowerBIDedicated/capacities\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#75": "{\n \"name\": \"Deploy-Diagnostics-RedisCache\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cache/redis/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#76": "{\n \"name\": \"Deploy-Diagnostics-Relay\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Relay/namespaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Relay/namespaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"HybridConnectionsEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#77": "{\n \"name\": \"Deploy-Diagnostics-SignalR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.SignalRService/SignalR\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AllLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#78": "{\n \"name\": \"Deploy-Diagnostics-SQLElasticPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/elasticPools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#79": "{\n \"name\": \"Deploy-Diagnostics-SQLMI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"ResourceUsageStats\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SQLSecurityAuditEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DevOpsOperationsAudit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#8": "{\n \"name\": \"Audit-AzureHybridBenefit\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit AHUB for eligible VMs\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Compute/virtualMachines\",\n \"Microsoft.Compute/virtualMachineScaleSets\"\n ]\n },\n {\n \"equals\": \"MicrosoftWindowsServer\",\n \"field\": \"Microsoft.Compute/imagePublisher\"\n },\n {\n \"equals\": \"WindowsServer\",\n \"field\": \"Microsoft.Compute/imageOffer\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2008-R2-SP1*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2012-*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2016-*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2019-*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2022-*\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Compute/licenseType\",\n \"notEquals\": \"Windows_Server\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#80": "{\n \"name\": \"Deploy-Diagnostics-TimeSeriesInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.TimeSeriesInsights/environments\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Ingress\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#81": "{\n \"name\": \"Deploy-Diagnostics-TrafficManager\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/trafficManagerProfiles\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ProbeHealthStatusEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#82": "{\n \"name\": \"Deploy-Diagnostics-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"VMProtectionAlerts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#83": "{\n \"name\": \"Deploy-Diagnostics-VM\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#84": "{\n \"name\": \"Deploy-Diagnostics-VMSS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachineScaleSets\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#85": "{\n \"name\": \"Deploy-Diagnostics-VNetGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworkGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"P2SDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#86": "{\n \"name\": \"Deploy-Diagnostics-WebServerFarm\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/serverfarms\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/serverfarms/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#87": "{\n \"name\": \"Deploy-Diagnostics-Website\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"notContains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"[[parameters('metricsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n },\n \"serverFarmId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"logs\": {\n \"premiumTierLogs\": [\n {\n \"category\": \"AppServiceAntivirusScanAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceFileAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"otherTierLogs\": [ \n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": \"[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]\"\n }\n }\n ],\n \"outputs\": {\n \"policy\": {\n \"type\": \"string\",\n \"value\": \"[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]\"\n }\n }\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n },\n \"serverFarmId\": {\n \"value\": \"[[field('Microsoft.Web/sites/serverFarmId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#88": "{\n \"name\": \"Deploy-Diagnostics-WVDAppGroup\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/applicationGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#89": "{\n \"name\": \"Deploy-Diagnostics-WVDHostPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.3.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/hostpools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Connection\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"HostRegistration\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AgentHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SessionHostManagement\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ConnectionGraphicsData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#9": "{\n \"name\": \"Deny-AppGW-Without-WAF\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Application Gateway should be deployed with WAF enabled\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with WAF enabled\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sku.name\",\n \"notequals\": \"WAF_v2\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#90": "{\n \"name\": \"Deploy-Diagnostics-WVDWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Feed\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#91": "{\n \"name\": \"Deploy-FirewallPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Azure Firewall Manager policy in the subscription\",\n \"description\": \"Deploys Azure Firewall Manager policy in subscription where the policy is assigned.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"fwpolicy\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"fwpolicy\",\n \"description\": \"Object describing Azure Firewall Policy\"\n },\n \"defaultValue\": {}\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"fwPolicyRegion\",\n \"description\": \"Select Azure region for Azure Firewall Policy\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"fwPolicy\": {\n \"value\": \"[[parameters('fwPolicy')]\"\n },\n \"fwPolicyRegion\": {\n \"value\": \"[[parameters('fwPolicyRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"fwPolicy\": {\n \"type\": \"object\"\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"fwpolicies\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').firewallPolicyName]\",\n \"location\": \"[[parameters('fwpolicy').location]\",\n \"dependsOn\": [],\n \"tags\": {},\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"ruleGroups\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').ruleGroups.name]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"\n ],\n \"properties\": {\n \"priority\": \"[[parameters('fwpolicy').ruleGroups.properties.priority]\",\n \"rules\": \"[[parameters('fwpolicy').ruleGroups.properties.rules]\"\n }\n }\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#92": "{\n \"name\": \"Deploy-MySQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#93": "{\n \"name\": \"Deploy-Nsg-FlowLogs-to-LA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"e920df7f-9a64-4066-9b58-52684c02a091\",\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"interval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"workspace\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowlogs\",\n \"name\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"existenceScope\": \"resourceGroup\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\n \"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\n \"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"resourceGroupName\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\n \"deploymentScope\": \"subscription\",\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"networkSecurityGroup\": {\n \"value\": \"[[field('id')]\"\n },\n \"workspace\": {\n \"value\": \"[[parameters('workspace')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"interval\": {\n \"value\": \"[[parameters('interval')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"networkSecurityGroup\": {\n \"type\": \"String\"\n },\n \"workspace\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"interval\": {\n \"type\": \"int\"\n },\n \"time\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[utcNow()]\"\n }\n },\n \"variables\": {\n \"resourceGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[4]]\",\n \"securityGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[8]]\",\n \"storageAccountName\": \"[[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"[[variables('resourceGroupName')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[variables('storageAccountName')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"kind\": \"StorageV2\",\n \"sku\": {\n \"name\": \"Standard_LRS\",\n \"tier\": \"Standard\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"NetworkWatcherRG\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"flowLogs\",\n \"apiVersion\": \"2019-11-01\",\n \"name\": \"[[concat(variables('securityGroupName'), '-Network-flowlog')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"enabled\": true,\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"retentionPolicy\": {\n \"days\": \"[[parameters('retention')]\",\n \"enabled\": true\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": true,\n \"trafficAnalyticsInterval\": \"[[parameters('interval')]\",\n \"workspaceResourceId\": \"[[parameters('workspace')]\"\n }\n },\n \"storageId\": \"[[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\n \"targetResourceId\": \"[[parameters('networkSecurityGroup')]\"\n },\n \"dependsOn\": [\n \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\"\n ]\n }\n ]\n }\n ]\n }\n },\n \"dependsOn\": [\n \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#94": "{\n \"name\": \"Deploy-Nsg-FlowLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"e920df7f-9a64-4066-9b58-52684c02a091\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Storage Account Resource Id\",\n \"strongType\": \"Microsoft.Storage/storageAccounts\"\n }\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable Traffic Analytics\"\n },\n \"defaultValue\": false\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"resourceGroupName\": \"NetworkWatcherRG\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\",\n \"equals\": \"[[parameters('flowAnalyticsEnabled')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceGroupName\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"storageAccountResourceId\": {\n \"value\": \"[[parameters('storageAccountResourceId')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"flowAnalyticsEnabled\": {\n \"value\": \"[[parameters('flowAnalyticsEnabled')]\"\n },\n \"trafficAnalyticsInterval\": {\n \"value\": \"[[parameters('trafficAnalyticsInterval')]\"\n },\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"type\": \"String\"\n },\n \"resourceGroupName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"bool\"\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"int\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"targetResourceId\": \"[[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\",\n \"storageId\": \"[[parameters('storageAccountResourceId')]\",\n \"enabled\": true,\n \"retentionPolicy\": {\n \"enabled\": true,\n \"days\": \"[[parameters('retention')]\"\n },\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": \"[[bool(parameters('flowAnalyticsEnabled'))]\",\n \"trafficAnalyticsInterval\": \"[[parameters('trafficAnalyticsInterval')]\",\n \"workspaceId\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\n \"workspaceRegion\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\n \"workspaceResourceId\": \"[[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#95": "{\n \"name\": \"Deploy-PostgreSQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Database for PostgreSQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notEquals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#96": "{\n \"name\": \"Deploy-Sql-AuditingSettings\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"name\": \"default\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/state\",\n \"equals\": \"enabled\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"state\": \"enabled\",\n \"auditActionsAndGroups\": [\n \"BATCH_COMPLETED_GROUP\",\n \"DATABASE_OBJECT_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_CHANGE_GROUP\",\n \"BACKUP_RESTORE_GROUP\",\n \"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_PRINCIPAL_CHANGE_GROUP\",\n \"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\n \"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\n \"USER_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\n \"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"DATABASE_PERMISSION_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n \"FAILED_DATABASE_AUTHENTICATION_GROUP\"\n ],\n \"isAzureMonitorTargetEnabled\": true\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#97": "{\n \"name\": \"Deploy-SQL-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL servers deploys a specific min TLS version requirement.\",\n \"description\": \"Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers\",\n \"apiVersion\": \"2019-06-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#98": "{\n \"name\": \"Deploy-Sql-SecurityAlertPolicies\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"emailAddresses\":{\n \"type\":\"Array\",\n \"defaultValue\":[\n \"admin@contoso.com\",\n \"admin@fabrikam.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/securityAlertPolicies/state\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"emailAddresses\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"apiVersion\": \"2018-06-01-preview\",\n \"properties\": {\n \"state\": \"Enabled\",\n \"disabledAlerts\": [\n \"\"\n ],\n \"emailAddresses\": \"[[parameters('emailAddresses')]\",\n \"emailAccountAdmins\": true,\n \"storageEndpoint\": null,\n \"storageAccountAccessKey\": \"\",\n \"retentionDays\": 0\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"emailAddresses\":{\n \"value\": \"[[parameters('emailAddresses')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#99": "{\n \"name\": \"Deploy-Sql-Tde\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploy SQL Database Transparent Data Encryption\",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedDatabases\": {\n \"type\": \"Array\",\n \"metadata\":{\n \"displayName\": \"Excluded Databases\",\n \"description\": \"Array of databases that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"master\",\n \"model\",\n \"tempdb\",\n \"msdb\",\n \"resource\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedDatabases')]\"\n\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/transparentDataEncryption.status\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"apiVersion\": \"2014-04-01\",\n \"properties\": {\n \"status\": \"Enabled\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", @@ -362,9 +356,7 @@ "[variables('$fxv#88')]", "[variables('$fxv#89')]", "[variables('$fxv#90')]", - "[variables('$fxv#91')]" - ], - "AzureCloud": [ + "[variables('$fxv#91')]", "[variables('$fxv#92')]", "[variables('$fxv#93')]", "[variables('$fxv#94')]", @@ -379,9 +371,7 @@ "[variables('$fxv#103')]", "[variables('$fxv#104')]", "[variables('$fxv#105')]", - "[variables('$fxv#106')]" - ], - "AzureChinaCloud": [ + "[variables('$fxv#106')]", "[variables('$fxv#107')]", "[variables('$fxv#108')]", "[variables('$fxv#109')]", @@ -390,39 +380,67 @@ "[variables('$fxv#112')]", "[variables('$fxv#113')]", "[variables('$fxv#114')]", - "[variables('$fxv#115')]" - ], - "AzureUSGovernment": [ + "[variables('$fxv#115')]", "[variables('$fxv#116')]", "[variables('$fxv#117')]", - "[variables('$fxv#118')]" - ] - }, - "loadPolicySetDefinitions": { - "All": [ + "[variables('$fxv#118')]", "[variables('$fxv#119')]", - "[variables('$fxv#120')]" - ], - "AzureCloud": [ + "[variables('$fxv#120')]", "[variables('$fxv#121')]", "[variables('$fxv#122')]", "[variables('$fxv#123')]", "[variables('$fxv#124')]", - "[variables('$fxv#125')]" - ], - "AzureChinaCloud": [ + "[variables('$fxv#125')]", "[variables('$fxv#126')]", "[variables('$fxv#127')]", "[variables('$fxv#128')]", "[variables('$fxv#129')]", - "[variables('$fxv#130')]" - ], - "AzureUSGovernment": [ + "[variables('$fxv#130')]", "[variables('$fxv#131')]", "[variables('$fxv#132')]", "[variables('$fxv#133')]", "[variables('$fxv#134')]", - "[variables('$fxv#135')]" + "[variables('$fxv#135')]", + "[variables('$fxv#136')]", + "[variables('$fxv#137')]", + "[variables('$fxv#138')]", + "[variables('$fxv#139')]", + "[variables('$fxv#140')]", + "[variables('$fxv#141')]", + "[variables('$fxv#142')]" + ], + "AzureCloud": [ + "[variables('$fxv#143')]", + "[variables('$fxv#144')]", + "[variables('$fxv#145')]", + "[variables('$fxv#146')]", + "[variables('$fxv#147')]", + "[variables('$fxv#148')]", + "[variables('$fxv#149')]", + "[variables('$fxv#150')]", + "[variables('$fxv#151')]", + "[variables('$fxv#152')]", + "[variables('$fxv#153')]", + "[variables('$fxv#154')]", + "[variables('$fxv#155')]", + "[variables('$fxv#156')]", + "[variables('$fxv#157')]" + ], + "AzureChinaCloud": [ + "[variables('$fxv#158')]", + "[variables('$fxv#159')]", + "[variables('$fxv#160')]", + "[variables('$fxv#161')]", + "[variables('$fxv#162')]", + "[variables('$fxv#163')]", + "[variables('$fxv#164')]", + "[variables('$fxv#165')]", + "[variables('$fxv#166')]" + ], + "AzureUSGovernment": [ + "[variables('$fxv#167')]", + "[variables('$fxv#168')]", + "[variables('$fxv#169')]" ] }, "policyDefinitionsByCloudType": { @@ -431,14 +449,7 @@ "AzureChinaCloud": "[variables('policyDefinitionsAzureChinaCloud')]", "AzureUSGovernment": "[variables('policyDefinitionsAzureUSGovernment')]" }, - "policySetDefinitionsByCloudType": { - "All": "[variables('policySetDefinitionsAll')]", - "AzureCloud": "[variables('policySetDefinitionsAzureCloud')]", - "AzureChinaCloud": "[variables('policySetDefinitionsAzureChinaCloud')]", - "AzureUSGovernment": "[variables('policySetDefinitionsAzureUSGovernment')]" - }, - "policyDefinitions": "[concat(variables('policyDefinitionsByCloudType').All, variables('policyDefinitionsByCloudType')[variables('cloudEnv')])]", - "policySetDefinitions": "[concat(variables('policySetDefinitionsByCloudType').All, variables('policySetDefinitionsByCloudType')[variables('cloudEnv')])]" + "policyDefinitions": "[concat(variables('policyDefinitionsByCloudType').All, variables('policyDefinitionsByCloudType')[variables('cloudEnv')])]" }, "resources": [ { @@ -458,27 +469,6 @@ "policyType": "[variables('policyDefinitions')[copyIndex()].properties.policyType]", "policyRule": "[variables('policyDefinitions')[copyIndex()].properties.policyRule]" } - }, - { - "copy": { - "name": "PolicySetDefinitions", - "count": "[length(variables('policySetDefinitions'))]" - }, - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2020-09-01", - "name": "[variables('policySetDefinitions')[copyIndex()].name]", - "properties": { - "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", - "displayName": "[variables('policySetDefinitions')[copyIndex()].properties.displayName]", - "metadata": "[variables('policySetDefinitions')[copyIndex()].properties.metadata]", - "parameters": "[variables('policySetDefinitions')[copyIndex()].properties.parameters]", - "policyType": "[variables('policySetDefinitions')[copyIndex()].properties.policyType]", - "policyDefinitions": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitions]", - "policyDefinitionGroups": "[variables('policySetDefinitions')[copyIndex()].properties.policyDefinitionGroups]" - }, - "dependsOn": [ - "PolicyDefinitions" - ] } ], "outputs": { @@ -488,13 +478,6 @@ "count": "[length(variables('policyDefinitions'))]", "input": "[variables('policyDefinitions')[copyIndex()].name]" } - }, - "policySetDefinitionNames": { - "type": "array", - "copy": { - "count": "[length(variables('policySetDefinitions'))]", - "input": "[variables('policySetDefinitions')[copyIndex()].name]" - } } } } \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json b/eslzArm/managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json deleted file mode 100644 index b4a1011f2a..0000000000 --- a/eslzArm/managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "topLevelManagementGroupPrefix": { - "type": "string" - }, - "principalId": { - "type": "array" - } - }, - "variables": { - "formattedPrincipalId": "[replace(replace(replace(string(parameters('principalId')), '\"', ''), '[', ''), ']', '')]", - "roleDefinitionOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('roleDefinitionOwner'))]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2019-04-01-preview", - "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('formattedPrincipalId')))]", - "properties": { - "principalType": "ServicePrincipal", - "roleDefinitionId": "[variables('roleDefinitionId')]", - "principalId": "[variables('formattedPrincipalId')]" - } - } - ] -} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json index c14fd1239a..6c8ce646a2 100644 --- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json +++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.15.31.15270", - "templateHash": "9056413825824880773" + "version": "0.29.47.4906", + "templateHash": "12429908550017328445" } }, "variables": { diff --git a/eslzArm/resourceGroupTemplates/azOpsArm.json b/eslzArm/resourceGroupTemplates/azOpsArm.json deleted file mode 100644 index 7844528058..0000000000 --- a/eslzArm/resourceGroupTemplates/azOpsArm.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "paToken": { - "type": "securestring", - "metadata": { - "description": "Provide the PA Token to authorize Git and create new repository for the organization/user." - } - }, - "principalSecret": { - "type": "securestring", - "metadata": { - "description": "Provide the principalId which is needed to create GitHub secret" - } - }, - "gitHubUserNameOrOrg": { - "type": "string", - "metadata": { - "description": "Provide username or org name for GitHub." - } - }, - "topLevelManagementGroupPrefix": { - "type": "string", - "metadata": { - "description": "Provide the prefix for your ESLZ setup." - } - }, - "appId": { - "type": "string" - }, - "repositoryName": { - "type": "string" - } - }, - "variables": { - "keyVaultName": "[take(concat(resourceGroup().name, uniqueString(subscription().subscriptionId)), 24)]", - "keyVaultRbacName": "[concat(variables('keyVaultName'), '/Microsoft.Authorization/', guid(variables('keyVaultName')))]", - "patSecretName": "PATSecret", - "spnSecretName": "SPNSecret", - "userManagedIdentityName": "[concat(resourceGroup().name, '-umi')]", - "keyVaultAdminRbac": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483" - }, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2018-11-30", - "name": "[variables('userManagedIdentityName')]", - "location": "[resourceGroup().location]" - }, - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2019-09-01", - "name": "[variables('keyVaultName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[variables('userManagedIdentityName')]" - ], - "properties": { - "enabledForTemplateDeployment": true, - "enableRbacAuthorization": true, - "enablePurgeProtection": true, - "enableSoftDelete": true, - "tenantId": "[subscription().tenantId]", - "sku": { - "family": "A", - "name": "standard" - } - } - }, - { - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2019-09-01", - "name": "[concat(variables('keyVaultName'), '/', variables('patSecretName'))]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" - ], - "properties": { - "value": "[parameters('paToken')]" - } - }, - { - "type": "Microsoft.KeyVault/vaults/secrets", - "apiVersion": "2019-09-01", - "name": "[concat(variables('keyVaultName'), '/', variables('spnSecretName'))]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" - ], - "properties": { - "value": "[parameters('principalSecret')]" - } - }, - { - "type": "Microsoft.KeyVault/vaults/providers/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[variables('keyVaultRbacName')]", - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('userManagedIdentityName'))]" - ], - "properties": { - "principalType": "ServicePrincipal", - "principalId": "[reference(variables('userManagedIdentityName'), '2018-11-30').principalId]", - "roleDefinitionId": "[variables('keyVaultAdminRbac')]" - } - }, - { - "type": "Microsoft.Resources/deploymentScripts", - "apiVersion": "2020-10-01", - "name": "[concat(resourceGroup().name, '-GitHub')]", - "location": "[resourceGroup().location]", - "kind": "AzurePowerShell", - "identity": { - "type": "userAssigned", - "userAssignedIdentities": { - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('userManagedIdentityName'))]": {} - } - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/providers/roleAssignments', variables('keyVaultName'), 'Microsoft.Authorization', guid(variables('keyVaultName')))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('patSecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('spnSecretName'))]" - ], - "properties": { - "primaryScriptUri": "https://raw.githubusercontent.com/Azure/AzOps/main/scripts/ARMAzOpsSetup.ps1", - "arguments": "[concat('-KeyVault', ' ', variables('keyVaultName'), ' ', - '-NewRepositoryName', ' ', parameters('repositoryName'), ' ', - '-GitHubUserNameOrOrg', ' ', parameters('gitHubUserNameOrOrg'), ' ', - '-SPNSecretName', ' ', variables('spnSecretName'), ' ', - '-SpnAppId', ' ', parameters('appId'), ' ', - '-PATSecretName', ' ', variables('patSecretName'), ' ', - '-AzureTenantId', ' ', subscription().tenantId, ' ', - '-EnterpriseScalePrefix', ' ', parameters('topLevelManagementGroupPrefix'), ' ', - '-AzureSubscriptionId', ' ', subscription().subscriptionId)]", - "azPowerShellVersion": "5.5", - "timeout": "PT30M", - "cleanupPreference": "Always", - "retentionInterval": "P1D" - } - } - ], - "outputs": { - "umi": { - "type": "string", - "value": "[reference(variables('userManagedIdentityName'), '2018-11-30').principalId]" - } - } -} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json b/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json new file mode 100644 index 0000000000..be416d5034 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json @@ -0,0 +1,327 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataCollectionRuleName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the data collection rule to create." + }, + "defaultValue": "dcr-changetracking-prod" + }, + "workspaceResourceId": { + "type": "string", + "metadata": { + "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data." + } + }, + "WorkspaceLocation": { + "type": "string", + "metadata": { + "description": "Specifies the location of the Log Analytics workspace to use to store change tracking data." + } + } + }, + "variables": { + "subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]", + "resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]", + "workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]" + }, + "resources": [ + { + "type": "microsoft.resources/deployments", + "name": "CtDcr-Deployment", + "apiVersion": "2020-08-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-04-01", + "name": "[parameters('dataCollectionRuleName')]", + "location": "[parameters('WorkspaceLocation')]", + "properties": { + "description": "Data collection rule for CT.", + "dataSources": { + "extensions": [ + { + "streams": [ + "Microsoft-ConfigurationChange", + "Microsoft-ConfigurationChangeV2", + "Microsoft-ConfigurationData" + ], + "extensionName": "ChangeTracking-Windows", + "extensionSettings": { + "enableFiles": true, + "enableSoftware": true, + "enableRegistry": true, + "enableServices": true, + "enableInventory": true, + "registrySettings": { + "registryCollectionFrequency": 3000, + "registryInfo": [ + { + "name": "Registry_1", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup", + "valueName": "" + }, + { + "name": "Registry_2", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown", + "valueName": "" + }, + { + "name": "Registry_3", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "valueName": "" + }, + { + "name": "Registry_4", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components", + "valueName": "" + }, + { + "name": "Registry_5", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers", + "valueName": "" + }, + { + "name": "Registry_6", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers", + "valueName": "" + }, + { + "name": "Registry_7", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers", + "valueName": "" + }, + { + "name": "Registry_8", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers", + "valueName": "" + }, + { + "name": "Registry_9", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers", + "valueName": "" + }, + { + "name": "Registry_10", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", + "valueName": "" + }, + { + "name": "Registry_11", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", + "valueName": "" + }, + { + "name": "Registry_12", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions", + "valueName": "" + }, + { + "name": "Registry_13", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions", + "valueName": "" + }, + { + "name": "Registry_14", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", + "valueName": "" + }, + { + "name": "Registry_15", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", + "valueName": "" + }, + { + "name": "Registry_16", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls", + "valueName": "" + }, + { + "name": "Registry_17", + "groupTag": "Recommended", + "enabled": false, + "recurse": true, + "description": "", + "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", + "valueName": "" + } + ] + }, + "fileSettings": { + "fileCollectionFrequency": 2700 + }, + "softwareSettings": { + "softwareCollectionFrequency": 1800 + }, + "inventorySettings": { + "inventoryCollectionFrequency": 36000 + }, + "servicesSettings": { + "serviceCollectionFrequency": 1800 + } + }, + "name": "CTDataSource-Windows" + }, + { + "streams": [ + "Microsoft-ConfigurationChange", + "Microsoft-ConfigurationChangeV2", + "Microsoft-ConfigurationData" + ], + "extensionName": "ChangeTracking-Linux", + "extensionSettings": { + "enableFiles": true, + "enableSoftware": true, + "enableRegistry": false, + "enableServices": true, + "enableInventory": true, + "fileSettings": { + "fileCollectionFrequency": 900, + "fileInfo": [ + { + "name": "ChangeTrackingLinuxPath_default", + "enabled": true, + "destinationPath": "/etc/.*.conf", + "useSudo": true, + "recurse": true, + "maxContentsReturnable": 5000000, + "pathType": "File", + "type": "File", + "links": "Follow", + "maxOutputSize": 500000, + "groupTag": "Recommended" + } + ] + }, + "softwareSettings": { + "softwareCollectionFrequency": 300 + }, + "inventorySettings": { + "inventoryCollectionFrequency": 36000 + }, + "servicesSettings": { + "serviceCollectionFrequency": 300 + } + }, + "name": "CTDataSource-Linux" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('workspaceResourceId')]", + "name": "Microsoft-CT-Dest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-ConfigurationChange", + "Microsoft-ConfigurationChangeV2", + "Microsoft-ConfigurationData" + ], + "destinations": [ + "Microsoft-CT-Dest" + ] + } + ] + } + }, + { + "type": "Microsoft.OperationsManagement/solutions", + "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]", + "location": "[parameters('WorkspaceLocation')]", + "apiVersion": "2015-11-01-preview", + "id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]", + "properties": { + "workspaceResourceId": "[parameters('workspaceResourceId')]" + }, + "plan": { + "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]", + "product": "OMSGallery/ChangeTracking", + "promotionCode": "", + "publisher": "Microsoft" + } + } + ] + } + }, + "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]" + } + ] +} diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json b/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json new file mode 100644 index 0000000000..b66a754831 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json @@ -0,0 +1,105 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "WorkspaceResourceId": { + "type": "String", + "metadata": { + "description": "Workspace Resource ID." + } + }, + "WorkspaceLocation": { + "type": "String", + "metadata": { + "description": "Workspace Location." + } + }, + "userGivenDcrName": { + "type": "String", + "metadata": { + "displayName": "Name of the Data Collection Rule(DCR)", + "description": "This is the name of the Data Collection Rule(DCR) for Defender for SQL." + }, + "defaultValue": "dcr-defendersql-prod" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Bool", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable collection of SQL queries for security research" + }, + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[parameters('userGivenDcrName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-04-01", + "name": "[parameters('userGivenDcrName')]", + "location": "[parameters('WorkspaceLocation')]", + "properties": { + "description": "Data collection rule for Defender for SQL.", + "dataSources": { + "extensions": [ + { + "extensionName": "MicrosoftDefenderForSQL", + "name": "MicrosoftDefenderForSQL", + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "extensionSettings": { + "enableCollectionOfSqlQueriesForSecurityResearch": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('WorkspaceResourceId')]", + "name": "LogAnalyticsDest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "destinations": [ + "LogAnalyticsDest" + ] + } + ] + } + } + ] + } + }, + "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]" + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json b/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json new file mode 100644 index 0000000000..fc0e6a833b --- /dev/null +++ b/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json @@ -0,0 +1,108 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "WorkspaceResourceId": { + "type": "String", + "metadata": { + "description": "Workspace Resource ID." + } + }, + "WorkspaceLocation": { + "type": "String", + "metadata": { + "description": "Workspace Location." + } + }, + "userGivenDcrName": { + "type": "String", + "metadata": { + "displayName": "Name of the Data Collection Rule(DCR)", + "description": "This is the name of the Data Collection Rule(DCR) for VM Insights." + }, + "defaultValue": "dcr-vminsights-prod" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[parameters('userGivenDcrName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-04-01", + "name": "[parameters('userGivenDcrName')]", + "location": "[parameters('WorkspaceLocation')]", + "properties": { + "description": "Data collection rule for VM Insights.", + "dataSources": { + "performanceCounters": [ + { + "name": "VMInsightsPerfCounters", + "streams": [ + "Microsoft-InsightsMetrics" + ], + "scheduledTransferPeriod": "PT1M", + "samplingFrequencyInSeconds": 60, + "counterSpecifiers": [ + "\\VmInsights\\DetailedMetrics" + ] + } + ], + "extensions": [ + { + "streams": [ + "Microsoft-ServiceMap" + ], + "extensionName": "DependencyAgent", + "extensionSettings": {}, + "name": "DependencyAgentDataSource" + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[parameters('WorkspaceResourceId')]", + "name": "VMInsightsPerf-Logs-Dest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-InsightsMetrics" + ], + "destinations": [ + "VMInsightsPerf-Logs-Dest" + ] + }, + { + "streams": [ + "Microsoft-ServiceMap" + ], + "destinations": [ + "VMInsightsPerf-Logs-Dest" + ] + } + ] + } + } + ] + } + }, + "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]" + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/privateDnsZones.json b/eslzArm/resourceGroupTemplates/privateDnsZones.json index 4f9b10acc7..2663b1af5b 100644 --- a/eslzArm/resourceGroupTemplates/privateDnsZones.json +++ b/eslzArm/resourceGroupTemplates/privateDnsZones.json @@ -10,6 +10,19 @@ }, "connectivityHubResourceId": { "type": "string" + }, + "connectivityHubResourceIdSecondary": { + "type": "string", + "defaultValue": "placeholder" + + }, + "enablePrivateDnsZonesSecondary": { + "type": "string", + "defaultValue": "No" + }, + "enableHubSecondary": { + "type": "string", + "defaultValue": "No" } }, "resources": [ @@ -38,6 +51,22 @@ "id": "[parameters('connectivityHubResourceId')]" } } + }, + { + "type": "virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[concat('linkingOf', parameters('privateDnsZoneName'),2)]", + "location": "global", + "condition": "[and(equals(parameters('enablePrivateDnsZonesSecondary'), 'No'), not(equals(parameters('enableHubSecondary'), 'No')))]", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('connectivityHubResourceIdSecondary')]" + } + } } ] } diff --git a/eslzArm/resourceGroupTemplates/userAssignedIdentity.json b/eslzArm/resourceGroupTemplates/userAssignedIdentity.json new file mode 100644 index 0000000000..97455e8dd8 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/userAssignedIdentity.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "location for the the resources to deploy." + } + }, + "userAssignedIdentityName": { + "type": "string", + "defaultValue": "id-ama-prod", + "metadata": { + "description": "The name of the Managed Identity resource." + } + }, + "userAssignedIdentityResourceGroup": { + "type": "String", + "metadata": { + "description": "The name of the resource group where the Managed Identity resource will be created." + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[parameters('userAssignedIdentityName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('userAssignedIdentityName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + } + ] + } + }, + "resourceGroup": "[parameters('userAssignedIdentityResourceGroup')]" + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/vnetRouteTable.json b/eslzArm/resourceGroupTemplates/vnetRouteTable.json new file mode 100644 index 0000000000..f879e4a617 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/vnetRouteTable.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix" : { + "type": "string" + }, + "connectivityHubResourceId": { + "type": "string" + }, + "subnetName": { + "type": "string" + }, + "cidrRange": { + "type": "string" + }, + "targetFWSubnetCidr": { + "type": "string" + }, + "sourceFWSubnetCidr": { + "type": "string" + }, + "hubLocation": { + "type": "string" + } + }, + "variables": { + "routeTableName": "[concat(parameters('topLevelManagementGroupPrefix'), '-rt-hub-', parameters('hubLocation'))]", + "vNetName": "[last(split(parameters('connectivityHubResourceId'), '/'))]", + "nextHopIP": "[first(split(cidrsubnet(parameters('targetFWSubnetCidr'), 32, 4), '/'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-07-01", + "name": "[variables('routeTableName')]", + "location": "[parameters('hubLocation')]", + "properties": { + "routes": [ + { + "name": "hubRoute", + "properties": { + "addressPrefix": "[parameters('cidrRange')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[variables('nextHopIP')]" + } + }, + { + "name": "internetRoute", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "Internet" + } + } + ] + + } + }, + { + "type": "Microsoft.Network/virtualNetworks/subnets", + "apiVersion": "2020-07-01", + "name": "[concat(variables('vNetName'), '/', parameters('subnetName'))]", + "properties": { + "addressPrefix": "[parameters('sourceFWSubnetCidr')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]" + } + + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]" + ] + } + ] +} + diff --git a/eslzArm/subscriptionTemplates/azFw-basepolicy.json b/eslzArm/subscriptionTemplates/azFw-basepolicy.json new file mode 100644 index 0000000000..6c23ee3fca --- /dev/null +++ b/eslzArm/subscriptionTemplates/azFw-basepolicy.json @@ -0,0 +1,118 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ], + "defaultValue": "Standard" + } + }, + "variables": { + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fwBasePolicy-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-base-', parameters('location'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-azfwpolicy-base-', parameters('location')), 64)]", + "azFirewallPolicyId": { + "id": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]" + }, + "azFirewallDnsSettings": { + "enableProxy": true + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('alz-', parameters('location'), '-', substring(uniqueString(parameters('connectivitySubscriptionId')),0,6), '-azFwBasePolicy')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyName')]", + "location": "[parameters('location')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]", + "sku": { + "tier": "[parameters('firewallSku')]" + + } + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json index 4316876e16..d2f76af24b 100644 --- a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json @@ -104,6 +104,13 @@ "description": "Provide subnet for Azure Firewall." } }, + "subnetMaskForAzFwMgmt": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for Azure Firewall Management." + } + }, "subnetMaskForGw": { "type": "string", "defaultValue": "", @@ -114,6 +121,7 @@ "firewallSku": { "type": "string", "allowedValues": [ + "Basic", "Standard", "Premium" ], @@ -127,6 +135,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -159,15 +171,32 @@ "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "azVpnPIPZones": "[split('1,2,3', ',')]", "azFwIpName": "[concat(variables('azFwName'), '-pip')]", + "azFwMgmtIpName": "[concat(variables('azFwName'), '-mgmtpip')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "azFwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallSubnet')]", "azFwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwIpName'))]", + "azFwMgmtSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallManagementSubnet')]", + "azFwMgmtPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwMgmtIpName'))]", + "azFwMgmtIpConfig": { + "name": "[variables('azFwMgmtIpName')]", + "properties": { + "subnet": { + "id": "[variables('azFwMgmtSubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('azFwMgmtPipId')]" + } + } + }, "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency "gwSubnet": [ @@ -186,6 +215,14 @@ } } ], + "fwMgmtSubnet": [ + { + "name": "AzureFirewallManagementSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForAzFwMgmt')]" + } + } + ], "ddosProtectionPlanId": { "id": "[parameters('ddosPlanResourceId')]" }, @@ -252,35 +289,106 @@ empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]')), if( not( - empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]')))]", + empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]')), + if( + not( + empty(parameters('subnetMaskForAzFwMgmt'))), variables('fwMgmtSubnet'), json('[]')))]", "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" } }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", - "apiVersion": "2020-05-01", + "apiVersion": "2023-11-01", "type": "Microsoft.Network/publicIpAddresses", "location": "[parameters('location')]", "name": "[variables('azVpnGwIpName')]", + "zones": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), variables('azVpnPIPZones'), json('null'))]", "sku": { - "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2023-11-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "zones": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), variables('azVpnPIPZones'), json('null'))]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2023-11-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": false, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", "location": "[parameters('location')]", "dependsOn": [ "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": true, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "RouteBased", @@ -296,6 +404,18 @@ "id": "[variables('azVpnGwPipId')]" } } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } } ], "sku": { @@ -327,10 +447,10 @@ "location": "[parameters('location')]", "name": "[variables('azErGwIpName')]", "sku": { - "name": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { @@ -395,6 +515,19 @@ "publicIPAllocationMethod": "Static" } }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), equals(parameters('firewallSku'), 'Basic'), not(empty(parameters('subnetMaskForAzFwMgmt'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "name": "[variables('azFwMgmtIpName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + } + }, { "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", "type": "Microsoft.Network/firewallPolicies", @@ -405,6 +538,7 @@ "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]", "sku": { "tier": "[parameters('firewallSku')]" + } } }, @@ -418,7 +552,8 @@ "dependsOn": [ "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]", "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]", - "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]", + "[concat('Microsoft.Network/virtualNetworkGateways/', variables('vpngwname'))]" ], "properties": { "sku": { @@ -438,6 +573,7 @@ } } ], + "managementIpConfiguration": "[if(equals(parameters('firewallSku'), 'Basic'), variables('azFwMgmtIpConfig'), json('null'))]", "firewallPolicy": "[variables('azFirewallPolicyId')]" } } diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json deleted file mode 100644 index 69d635cf2c..0000000000 --- a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json +++ /dev/null @@ -1,359 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "rgName": { - "type": "string", - "metadata": { - "description": "Provide the resource group name where the Log Analytics workspace is deployed." - } - }, - "workspaceName": { - "type": "string", - "metadata": { - "description": "Provide resource name for the Log Analytics workspace." - } - }, - "workspaceRegion": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Select Azure region for the Log Analytics workspace. Default, we will use same region as deployment." - } - }, - "enableSecuritySolution": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether security solutions should be enabled or not." - } - }, - "enableAgentHealth": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether agent health solution should be enabled or not." - } - }, - "enableChangeTracking": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether change tracking solution should be enabled or not." - } - }, - "enableUpdateMgmt": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether update mgmt solution should be enabled or not." - } - }, - "enableVmInsights": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether VM insights solution should be enabled or not." - } - }, - "enableServiceMap": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether service map solution should be enabled or not." - } - }, - "enableSqlAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL assessment solution should be enabled or not." - } - }, - "enableSqlVulnerabilityAssessment": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL vulnerability assessment solution should be enabled or not." - } - }, - "enableSqlAdvancedThreatProtection": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "Yes", - "metadata": { - "description": "Select whether SQL advanced threat protection solution should be enabled or not." - } - } - }, - "variables": { - "laResourceId": "[toLower(concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')))]", - "solutions": { - "security": { - "name": "[concat('Security', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "Security" - }, - "agentHealth": { - "name": "[concat('AgentHealthAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "AgentHealthAssessment" - }, - "changeTracking": { - "name": "[concat('ChangeTracking', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "ChangeTracking" - }, - "updateMgmt": { - "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "Updates" - }, - "sqlAssessment": { - "name": "[concat('SQLAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLAssessment" - }, - "sqlAdvancedThreatProtection": { - "name": "[concat('SQLAdvancedThreatProtection', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLAdvancedThreatProtection" - }, - "sqlVulnerabilityAssesment": { - "name": "[concat('SQLVulnerabilityAssessment', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SQLVulnerabilityAssessment" - }, - "vmInsights": { - "name": "[concat('VMInsights', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "VMInsights" - }, - "serviceMap": { - "name": "[concat('ServiceMap', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "ServiceMap" - }, - "securityInsights": { - "name": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]", - "marketplaceName": "SecurityInsights" - } - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", - "name": "[take(concat('alz-', 'solutions-', guid(deployment().name)), 63)]", - "resourceGroup": "[parameters('rgName')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - // Conditionally deploy solution for agent health - "condition": "[equals(parameters('enableAgentHealth'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').agentHealth.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').agentHealth.name]", - "product": "[concat('OMSGallery/', variables('solutions').agentHealth.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for change tracking - "condition": "[equals(parameters('enableChangeTracking'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').changeTracking.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').changeTracking.name]", - "product": "[concat('OMSGallery/', variables('solutions').changeTracking.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for vm insights - "condition": "[equals(parameters('enableVmInsights'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').vmInsights.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').vmInsights.name]", - "product": "[concat('OMSGallery/', variables('solutions').vmInsights.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for security - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').security.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').security.name]", - "product": "[concat('OMSGallery/', variables('solutions').security.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for sentinel - "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').securityInsights.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').securityInsights.name]", - "product": "[concat('OMSGallery/', variables('solutions').securityInsights.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for service map - "condition": "[equals(parameters('enableServiceMap'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').serviceMap.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').serviceMap.name]", - "product": "[concat('OMSGallery/', variables('solutions').serviceMap.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for SQL assessment - "condition": "[equals(parameters('enableSqlAssessment'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlAssessment.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlAssessment.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlAssessment.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for SQL advanced threat protection - "condition": "[equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlAdvancedThreatProtection.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlAdvancedThreatProtection.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlAdvancedThreatProtection.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for SQL vulnerability protection - "condition": "[equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').sqlVulnerabilityAssesment.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').sqlVulnerabilityAssesment.name]", - "product": "[concat('OMSGallery/', variables('solutions').sqlVulnerabilityAssesment.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - // Conditionally deploy solution for update management - "condition": "[equals(parameters('enableUpdateMgmt'), 'Yes')]", - "apiVersion": "2015-11-01-preview", - "type": "Microsoft.OperationsManagement/solutions", - "name": "[variables('solutions').updateMgmt.name]", - "location": "[parameters('workspaceRegion')]", - "properties": { - "workspaceResourceId": "[variables('laResourceId')]" - }, - "plan": { - "name": "[variables('solutions').updateMgmt.name]", - "product": "[concat('OMSGallery/', variables('solutions').updateMgmt.marketplaceName)]", - "promotionCode": "", - "publisher": "Microsoft" - } - } - ] - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json index 6f5d8415b5..811f1b29e9 100644 --- a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -19,6 +19,9 @@ }, "retentionInDays": { "type": "String" + }, + "enableSentinel": { + "type": "String" } }, "variables": { @@ -34,7 +37,7 @@ }, { "type": "Microsoft.Resources/deployments", - "apiVersion": "2018-05-01", + "apiVersion": "2024-03-01", "name": "[variables('deploymentName')]", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ @@ -85,6 +88,20 @@ } } ] + }, + { + // Onboard Sentinel + "condition": "[equals(parameters('enableSentinel'), 'Yes')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/onboardingStates", + "name": "default", + "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "dependsOn": [ + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "customerManagedKey": false + } } ], "outputs": {} diff --git a/eslzArm/subscriptionTemplates/mdfcConfiguration.json b/eslzArm/subscriptionTemplates/mdfcConfiguration.json new file mode 100644 index 0000000000..8c7273f9ce --- /dev/null +++ b/eslzArm/subscriptionTemplates/mdfcConfiguration.json @@ -0,0 +1,683 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "resourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource group location", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.", + "strongType": "location" + } + }, + "resourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource group name", + "description": "The name of the resource group hosting the Log Analytics workspace." + } + }, + "logAnalyticsResourceId": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "The Log Analytics workspace of where the data should be exported to.", + "strongType": "Microsoft.OperationalInsights/workspaces", + "assignPermissions": true + } + }, + "emailContactAsc": { + "type": "String", + "metadata": { + "displayName": "Resource group name", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "exportedDataTypes": { + "type": "Array", + "metadata": { + "displayName": "Exported data types", + "description": "The data types to be exported. To export a snapshot (preview) of the data once a week, choose the data types which contains 'snapshot', other data types will be sent in real-time streaming." + }, + "allowedValues": [ + "Security recommendations", + "Security alerts", + "Overall secure score", + "Secure score controls", + "Regulatory compliance", + "Overall secure score - snapshot", + "Secure score controls - snapshot", + "Regulatory compliance - snapshot", + "Security recommendations - snapshot", + "Security findings - snapshot" + ], + "defaultValue": [ + "Security recommendations", + "Security alerts", + "Overall secure score", + "Secure score controls", + "Regulatory compliance", + "Overall secure score - snapshot", + "Secure score controls - snapshot", + "Regulatory compliance - snapshot", + "Security recommendations - snapshot", + "Security findings - snapshot" + ] + }, + "recommendationNames": { + "type": "Array", + "metadata": { + "displayName": "Recommendation IDs", + "description": "Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/assessments." + }, + "defaultValue": [] + }, + "recommendationSeverities": { + "type": "Array", + "metadata": { + "displayName": "Recommendation severities", + "description": "Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;" + }, + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": [ + "High", + "Medium", + "Low" + ] + }, + "isSecurityFindingsEnabled": { + "type": "bool", + "metadata": { + "displayName": "Include security findings", + "description": "Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "secureScoreControlsNames": { + "type": "Array", + "metadata": { + "displayName": "Secure Score Controls IDs", + "description": "Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/securescores/securescorecontrols." + }, + "defaultValue": [] + }, + "alertSeverities": { + "type": "Array", + "metadata": { + "displayName": "Alert severities", + "description": "Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;" + }, + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": [ + "High", + "Medium", + "Low" + ] + }, + "regulatoryComplianceStandardsNames": { + "type": "Array", + "metadata": { + "displayName": "Regulatory compliance standards names", + "description": "Applicable only for export of regulatory compliance. To export all regulatory compliance, leave this empty. To export specific regulatory compliance standards, enter a list of these standards names separated by semicolons (';'). Regulatory compliance standards names are available through the regulatory compliance standards API (https://docs.microsoft.com/rest/api/securitycenter/regulatorycompliancestandards), or Azure Resource Graph Explorer, choose securityresources and microsoft.security/regulatorycompliancestandards." + }, + "defaultValue": [] + }, + "guidValue": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + "scopeDescription": "scope for subscription {0}", + "subAssessmentRuleExpectedValue": "/assessments/{0}/", + "recommendationNamesLength": "[length(parameters('recommendationNames'))]", + "secureScoreControlsNamesLength": "[length(parameters('secureScoreControlsNames'))]", + "secureScoreControlsLengthIfEmpty": "[if(equals(variables('secureScoreControlsNamesLength'), 0), 1, variables('secureScoreControlsNamesLength'))]", + "regulatoryComplianceStandardsNamesLength": "[length(parameters('regulatoryComplianceStandardsNames'))]", + "regulatoryComplianceStandardsNamesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), 1, variables('regulatoryComplianceStandardsNamesLength'))]", + "recommendationSeveritiesLength": "[length(parameters('recommendationSeverities'))]", + "alertSeveritiesLength": "[length(parameters('alertSeverities'))]", + "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]", + "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]", + "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]", + "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]", + "totalRuleCombinationsForOneRecommendationSeverity": 1, + "exportedDataTypesLength": "[length(parameters('exportedDataTypes'))]", + "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]", + "dataTypeMap": { + "Security recommendations": "Assessments", + "Security alerts": "Alerts", + "Overall secure score": "SecureScores", + "Secure score controls": "SecureScoreControls", + "Regulatory compliance": "RegulatoryComplianceAssessment", + "Overall secure score - snapshot": "SecureScoresSnapshot", + "Secure score controls - snapshot": "SecureScoreControlsSnapshot", + "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot", + "Security recommendations - snapshot": "AssessmentsSnapshot", + "Security findings - snapshot": "SubAssessmentsSnapshot" + }, + "alertSeverityMap": { + "High": "high", + "Medium": "medium", + "Low": "low" + }, + "ruleSetsForAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForAssessmentsArr", + "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]", + "input": { + "rules": [ + { + "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',parameters('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]", + "operator": "Contains" + }, + { + "propertyJPath": "properties.metadata.severity", + "propertyType": "string", + "expectedValue": "[parameters('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSubAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForSubAssessmentsArr", + "count": "[variables('recommendationNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), replace(variables('subAssessmentRuleExpectedValue'),'{0}', parameters('recommendationNames')[copyIndex('ruleSetsForSubAssessmentsArr')]))]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForAlertsObj": { + "copy": [ + { + "name": "ruleSetsForAlertsArr", + "count": "[variables('alertSeveritiesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "Severity", + "propertyType": "string", + "expectedValue": "[variables('alertSeverityMap')[parameters('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSecureScoreControlsObj": { + "copy": [ + { + "name": "ruleSetsForSecureScoreControlsArr", + "count": "[variables('secureScoreControlsLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "name", + "propertyType": "string", + "expectedValue": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), parameters('secureScoreControlsNames')[copyIndex('ruleSetsForSecureScoreControlsArr')])]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForRegulatoryComplianceObj": { + "copy": [ + { + "name": "ruleSetsForRegulatoryCompliancArr", + "count": "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), parameters('regulatoryComplianceStandardsNames')[copyIndex('ruleSetsForRegulatoryCompliancArr')])]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForSecureScoreControlsObj": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('customRuleSetsForSecureScoreControlsObj').ruleSetsForSecureScoreControlsArr)]", + "ruleSetsForSecureRegulatoryComplianceObj": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('customRuleSetsForRegulatoryComplianceObj').ruleSetsForRegulatoryCompliancArr)]", + "ruleSetsForSubAssessmentsObj": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), variables('customRuleSetsForSubAssessmentsObj').ruleSetsForSubAssessmentsArr)]", + "subAssessmentSource": [ + { + "eventSource": "SubAssessments", + "ruleSets": "[variables('ruleSetsForSubAssessmentsObj')]" + } + ], + "ruleSetsMap": { + "Security recommendations": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security alerts": "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]", + "Overall secure score": null, + "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Overall secure score - snapshot": null, + "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Security recommendations - snapshot": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security findings - snapshot": "[variables('ruleSetsForSubAssessmentsObj')]" + }, + "sourcesWithoutSubAssessments": { + "copy": [ + { + "name": "sources", + "count": "[variables('exportedDataTypesLengthIfEmpty')]", + "input": { + "eventSource": "[variables('dataTypeMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]", + "ruleSets": "[variables('ruleSetsMap')[parameters('exportedDataTypes')[copyIndex('sources')]]]" + } + } + ] + }, + "sourcesWithSubAssessments": "[concat(variables('subAssessmentSource'),variables('sourcesWithoutSubAssessments').sources)]", + "sources": "[if(equals(parameters('isSecurityFindingsEnabled'),bool('true')),variables('sourcesWithSubAssessments'),variables('sourcesWithoutSubAssessments').sources)]" + }, + "resources": [ + { + "condition": "[equals(parameters('enableAscForStorage'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } + }, + { + "condition": "[equals(parameters('enableAscForServers'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "VirtualMachines", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'StorageAccounts')]" + ], + "properties": { + "pricingTier": "Standard", + "subPlan": "P2", + "resourcesCoverageStatus": "FullyCovered" + } + }, + { + "condition": "[equals(parameters('enableAscForSql'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "SqlServers", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'VirtualMachines')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForAppServices'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "AppServices", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'SqlServers')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "SqlServerVirtualMachines", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'AppServices')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForContainers'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "Containers", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'SqlServerVirtualMachines')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForKeyVault'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "KeyVaults", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'Containers')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForArm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "Arm", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'KeyVaults')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForOssDb'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "OpenSourceRelationalDatabases", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'Arm')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForCosmosDbs'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "CosmosDbs", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'OpenSourceRelationalDatabases')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForCspm'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "CloudPosture", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'CosmosDbs')]" + ], + "properties": { + "pricingTier": "Standard" + } + }, + { + "condition": "[equals(parameters('enableAscForApis'), 'DeployIfNotExists')]", + "type": "Microsoft.Security/pricings", + "apiVersion": "2024-01-01", + "name": "Api", + "dependsOn": [ + "[resourceId('Microsoft.Security/pricings', 'CloudPosture')]" + ], + "properties": { + "pricingTier": "Standard", + "subPlan": "P1" + } + }, + { + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", + "properties": { + "description": "Defender for Cloud security contacts", + "emails": "[parameters('emailContactAsc')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "Medium" + } + } + }, + { + "name": "[parameters('resourceGroupName')]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('resourceGroupLocation')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('resourceGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "tags": {}, + "apiVersion": "2019-01-01-preview", + "location": "[parameters('resourceGroupLocation')]", + "name": "ExportToWorkspace", + "type": "Microsoft.Security/automations", + "dependsOn": [], + "properties": { + "description": "Export Microsoft Defender for Cloud data to Log Analytics workspace via policy", + "isEnabled": true, + "scopes": [ + { + "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]", + "scopePath": "[subscription().id]" + } + ], + "sources": "[variables('sources')]", + "actions": [ + { + "actionType": "Workspace", + "workspaceResourceId": "[parameters('logAnalyticsResourceId')]" + } + ] + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json index f524364fb3..631f20d388 100644 --- a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json @@ -93,6 +93,10 @@ "type": "string", "defaultValue": "" }, + "enableVpnActiveActive": { + "type": "string", + "defaultValue": "" + }, "gwAzSku": { "type": "string", "defaultValue": "" @@ -123,9 +127,11 @@ "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwAAIpName": "[concat(variables('vpngwname'), '-pip-002')]", "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", @@ -225,7 +231,20 @@ } }, { - "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwAAIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", @@ -235,6 +254,7 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "activeActive": false, "gatewayType": "Vpn", "vpnGatewayGeneration": "Generation2", "vpnType": "RouteBased", @@ -274,6 +294,70 @@ } } }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "activeActive": true, + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + }, + { + "name": "activeactive", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwAAPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, { "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", "apiVersion": "2020-05-01", diff --git a/eslzArm/subscriptionTemplates/vnetPeering.json b/eslzArm/subscriptionTemplates/vnetPeering.json index a1f4bc65bd..750935b657 100644 --- a/eslzArm/subscriptionTemplates/vnetPeering.json +++ b/eslzArm/subscriptionTemplates/vnetPeering.json @@ -80,7 +80,7 @@ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2020-06-01", - "name": "NetworkWatcherRG", + "name": "[concat('NetworkWatcherRG-', parameters('vNetLocation'))]", "location": "[parameters('vNetLocation')]", "properties": {} } diff --git a/eslzArm/subscriptionTemplates/vnetPeeringHub.json b/eslzArm/subscriptionTemplates/vnetPeeringHub.json new file mode 100644 index 0000000000..0cebe9390e --- /dev/null +++ b/eslzArm/subscriptionTemplates/vnetPeeringHub.json @@ -0,0 +1,113 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hubResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the primary hub." + } + }, + "hubResourceIdSecondary": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the secondary hub." + } + }, + "hubLocation": { + "type": "string", + "metadata": { + "description": "Provide the location for the primary hub." + } + }, + "hubLocationSecondary": { + "type": "string", + "metadata": { + "description": "Provide the location for the secondary hub." + } + }, + "hubRgName": { + "type": "string", + "metadata": { + "description": "Provide the name of the RG of the primary hub." + } + }, + "hubRgNameSecondary": { + "type": "string", + "metadata": { + "description": "Provide the name of the RG of the Secondary hub." + } + } + }, + "variables": { + "hubName": "[last(split(parameters('hubResourceId'), '/'))]", + "hubNameSecondary": "[last(split(parameters('hubResourceIdSecondary'), '/'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('alz-vnet-', parameters('hubLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "resourceGroup": "[parameters('hubRgName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-07-01", + "name": "[concat(variables('hubName'), '/peerTo', variables('hubNameSecondary'))]", + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceIdSecondary')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": false + } + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('alz-vnet-', parameters('hubLocationSecondary'), '-', substring(uniqueString(subscription().id),0,6))]", + "resourceGroup": "[parameters('hubRgNameSecondary')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-07-01", + "name": "[concat(variables('hubNameSecondary'), '/peerTo', variables('hubName'))]", + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": false + } + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/vnetPeeringVwan.json b/eslzArm/subscriptionTemplates/vnetPeeringVwan.json index 0027eec257..a0f502f0e4 100644 --- a/eslzArm/subscriptionTemplates/vnetPeeringVwan.json +++ b/eslzArm/subscriptionTemplates/vnetPeeringVwan.json @@ -58,7 +58,7 @@ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2020-06-01", - "name": "NetworkWatcherRG", + "name": "[concat('NetworkWatcherRG-', parameters('vNetLocation'))]", "location": "[parameters('vNetLocation')]", "properties": {} } diff --git a/eslzArm/subscriptionTemplates/vwan-connectivity.json b/eslzArm/subscriptionTemplates/vwan-connectivity.json index ba8142b855..5a917da7ee 100644 --- a/eslzArm/subscriptionTemplates/vwan-connectivity.json +++ b/eslzArm/subscriptionTemplates/vwan-connectivity.json @@ -44,6 +44,7 @@ "firewallSku": { "type": "string", "allowedValues": [ + "Basic", "Standard", "Premium" ], @@ -90,6 +91,178 @@ "firewallZones": { "type": "array", "defaultValue": [] + }, + "internetTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicy": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, + "enablevWANRoutingIntent":{ + "type": "string", + "allowedValues":[ + "Yes", + "No" + ], + "metadata": { + "description": + "Enable vWAN Routing Intent" + } + }, + "vWANHubRoutingPreference":{ + "type": "string", + "defaultValue": "ExpressRoute", + "allowedValues":[ + "ExpressRoute", + "VpnGateway", + "ASPath" + ], + "metadata": { + "description": + "vWAN Hub Routing Preference" + } + }, + "vWANHubCapacity":{ + "type": "string", + "metadata": { + "description": + "vWAN Hub Capacity Units" + }, + "defaultValue": "2" + }, + "addressPrefixSecondary": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the VHUB" + }, + "defaultValue": "10.100.0.0/23" + }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the VHUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHubSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "firewallSkuSecondary": { + "type": "string", + "allowedValues": [ + "Basic", + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, + "enableAzFwDnsProxySecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + }, + "enableVpnGwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableErGwSecondary": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "vpnGateWayScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "expressRouteScaleUnitSecondary": { + "type": "string", + "defaultValue": "1" + }, + "firewallZonesSecondary": { + "type": "array", + "defaultValue": [] + }, + "internetTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Internet Traffic" + } + }, + "privateTrafficRoutingPolicySecondary": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Enable vWAN Routing Intent and Policy for Private Traffic" + } + }, + "enablevWANRoutingIntentSecondary":{ + "type": "string", + "allowedValues":[ + "Yes", + "No" + ], + "metadata": { + "description": + "Enable vWAN Routing Intent" + } + }, + "vWANHubRoutingPreferenceSecondary":{ + "type": "string", + "defaultValue": "ExpressRoute", + "allowedValues":[ + "ExpressRoute", + "VpnGateway", + "ASPath" + ], + "metadata": { + "description": + "vWAN Hub Routing Preference" + } + }, + "vWANHubCapacitySecondary":{ + "type": "string", + "metadata": { + "description": + "vWAN Hub Capacity Units" + }, + "defaultValue": "2" } }, "variables": { @@ -111,7 +284,22 @@ }, "azFirewallDnsSettings": { "enableProxy": true - } + }, + "routingIntentnexthop":"[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]", + "vpngwnameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-vpngw-', parameters('locationSecondary'))]", + "ergwnameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-ergw-', parameters('locationSecondary'))]", + "vHubNameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('locationSecondary'))]", + "azFwNameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('locationSecondary'))]", + "azFwPolicyNameSecondary": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('locationSecondary'))]", + "vwanhubSecondary": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualHubs/', variables('vhubnameSecondary'))]", + "vhubskuSecondary": "Standard", + "azFirewallPolicyIdSecondary": { + "id": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyNameSecondary'))]" + }, + "azFirewallDnsSettingsSecondary": { + "enableProxy": true + }, + "routingIntentnexthopSecondary":"[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwNameSecondary'))]" }, "resources": [ { @@ -163,7 +351,7 @@ { "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('addressPrefix'))))]", "type": "Microsoft.Network/virtualHubs", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "location": "[parameters('location')]", "name": "[variables('vhubname')]", "dependsOn": [ @@ -174,8 +362,12 @@ "id": "[variables('vwanresourceid')]" }, "addressPrefix": "[parameters('addressPrefix')]", - "sku": "[variables('vhubsku')]" - } + "sku": "[variables('vhubsku')]", + "hubRoutingPreference": "[parameters('vWANHubRoutingPreference')]", + "virtualRouterAutoScaleConfiguration": { + "minCapacity": "[int(parameters('vWANHubCapacity'))]" + } + } }, { "condition": "[and(equals(parameters('enableHub'), 'vwan'), equals(parameters('enableVpnGw'), 'Yes'))]", @@ -184,7 +376,7 @@ "location": "[parameters('location')]", "name": "[variables('vpngwname')]", "dependsOn": [ - "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]" ], "properties": { "virtualHub": { @@ -238,7 +430,7 @@ "zones": "[if(not(empty(parameters('firewallZones'))), parameters('firewallZones'), json('null'))]", "dependsOn": [ "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]", - "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]" ], "properties": { "sku": { @@ -258,7 +450,160 @@ "id": "[variables('azFirewallPolicyId').id]" } } + }, + { + "condition":"[and(equals(parameters('enablevWANRoutingIntent'), 'Yes'),equals(parameters('enableAzFw'), 'Yes'))]", + "type": "Microsoft.Network/virtualHubs/routingIntent", + "apiVersion": "2023-04-01", + "name":"[concat(variables('vhubname'),'/','RoutingIntent')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]", + "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwName'))]" + ], + "properties":{ + "routingPolicies": "[ + if(and(equals(parameters('internetTrafficRoutingPolicy'), true()), + equals(parameters('privateTrafficRoutingPolicy'), true())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthop')), + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthop'))), + if(and(equals(parameters('internetTrafficRoutingPolicy'), true()), + equals(parameters('privateTrafficRoutingPolicy'), false())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthop'))), + createArray( + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthop')))))]" + } + }, + //Begin Secondary vhub Deployment + { + "condition": "[and(equals(parameters('enableHubSecondary'), 'Yes'), not(empty(parameters('addressPrefixSecondary'))))]", + "type": "Microsoft.Network/virtualHubs", + "apiVersion": "2023-04-01", + "location": "[parameters('locationSecondary')]", + "name": "[variables('vHubNameSecondary')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualWans/', variables('vWanName'))]" + ], + "properties": { + "virtualWan": { + "id": "[variables('vwanresourceid')]" + }, + "addressPrefix": "[parameters('addressPrefixSecondary')]", + "sku": "[variables('vhubskuSecondary')]", + "hubRoutingPreference": "[parameters('vWANHubRoutingPreferenceSecondary')]", + "virtualRouterAutoScaleConfiguration": { + "minCapacity": "[int(parameters('vWANHubCapacitySecondary'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableHubSecondary'), 'Yes'), equals(parameters('enableVpnGwSecondary'), 'Yes'))]", + "type": "Microsoft.Network/vpnGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('locationSecondary')]", + "name": "[variables('vpngwnameSecondary')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vHubNameSecondary'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "bgpSettings": { + "asn": "[variables('vpnbgpasn')]" + }, + "vpnGatewayScaleUnit": "[int(parameters('vpnGateWayScaleUnit'))]" + } + }, + { + "condition": "[and(equals(parameters('enableHubSecondary'), 'Yes'), equals(parameters('enableErGwSecondary'), 'Yes'))]", + "type": "Microsoft.Network/expressRouteGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('locationSecondary')]", + "name": "[variables('ergwnameSecondary')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vHubNameSecondary'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhubSecondary')]" + }, + "autoScaleConfiguration": { + "bounds": { + "min": "[int(parameters('expressRouteScaleUnitSecondary'))]" + } + } + } + }, + { + "condition": "[equals(parameters('enableAzFwSecondary'), 'Yes')]", + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyNameSecondary')]", + "location": "[parameters('locationSecondary')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxySecondary'), 'Yes'), variables('azFirewallDnsSettingsSecondary'), json('null'))]", + "sku": { + "tier": "[parameters('firewallSkuSecondary')]" + } + } + }, + { + "condition": "[equals(parameters('enableAzFwSecondary'), 'Yes')]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azFwNameSecondary')]", + "location": "[parameters('locationSecondary')]", + "zones": "[if(not(empty(parameters('firewallZonesSecondary'))), parameters('firewallZonesSecondary'), json('null'))]", + "dependsOn": [ + "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyNameSecondary'))]", + "[concat('Microsoft.Network/virtualHubs/', variables('vhubnamesecondary'))]" + ], + "properties": { + "sku": { + "Name": "AZFW_Hub", + "Tier": "[parameters('firewallSkuSecondary')]" + }, + "hubIPAddresses": { + "publicIPs": { + "addresses": "[json('[]')]", + "count": 1 + } + }, + "virtualHub": { + "id": "[variables('vwanhubSecondary')]" + }, + "firewallPolicy": { + "id": "[variables('azFirewallPolicyIdSecondary').id]" + } + } + }, + { + "condition":"[and(equals(parameters('enablevWANRoutingIntentSecondary'), 'Yes'),equals(parameters('enableAzFwSecondary'), 'Yes'))]", + "type": "Microsoft.Network/virtualHubs/routingIntent", + "apiVersion": "2023-04-01", + "name":"[concat(variables('vHubNameSecondary'),'/','RoutingIntent')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vHubNameSecondary'))]", + "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables ('rgName'), '/providers/Microsoft.Network/azureFirewalls/', variables ('azFwNameSecondary'))]" + ], + "properties":{ + "routingPolicies": "[ + if(and(equals(parameters('internetTrafficRoutingPolicySecondary'), true()), + equals(parameters('privateTrafficRoutingPolicySecondary'), true())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthopSecondary')), + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthopSecondary'))), + if(and(equals(parameters('internetTrafficRoutingPolicySecondary'), true()), + equals(parameters('privateTrafficRoutingPolicySecondary'), false())), + createArray( + createObject('name', 'PublicTraffic', 'destinations', createArray('Internet'), 'nextHop', variables('routingIntentnexthopSecondary'))), + createArray( + createObject('name', 'PrivateTraffic', 'destinations', createArray('PrivateTraffic'), 'nextHop', variables('routingIntentnexthopSecondary')))))]" + } } + ] } } diff --git a/examples/landing-zones/connected-subscription/README.md b/examples/landing-zones/connected-subscription/README.md index e58cb0b00d..281ecc34c4 100644 --- a/examples/landing-zones/connected-subscription/README.md +++ b/examples/landing-zones/connected-subscription/README.md @@ -2,7 +2,7 @@ The ARM template provided in this folder can be used to create new, connected subscriptions into the targeted management group. -## Pre-requsites +## Pre-requisites This ARM template takes a dependency on the 'Deploy-VNET-HubSpoke' policy provided by Enterprise-Scale reference implementations, and will invoke the template deployment in the policyDefinition as part of assigning the policy to the newly created landing zone (subscription). When deploying the Enterprise-Scale reference implementations, the definition will be located at the top level management group, and the resource Id will be "/providers/Microsoft.Management/managementGroups//Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke" @@ -174,4 +174,4 @@ az deployment mg create \ --name \ --location \ --management-group-id \ - --template-uri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/examples/landing-zones/connected-subscription/connectedSubscription.json" \ No newline at end of file + --template-uri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/examples/landing-zones/connected-subscription/connectedSubscription.json" diff --git a/src/Alz.Tools/functions/Alz.Tools.ps1 b/src/Alz.Tools/functions/Alz.Tools.ps1 index 8198aebdd6..d45212513b 100644 --- a/src/Alz.Tools/functions/Alz.Tools.ps1 +++ b/src/Alz.Tools/functions/Alz.Tools.ps1 @@ -71,6 +71,10 @@ function ProcessObjectByResourceType { } "microsoft.authorization/policysetdefinitions" { $outputObject = [PolicySetDefinition]::new($ResourceObject) + # Workaround for policySetDefinitions that only have a single policyDefinition. PowerShell tires to convert to an object in that scenario. + if($outputObject.properties.policyDefinitions.GetType().ToString() -eq "PolicySetDefinitionPropertiesPolicyDefinitions") { + $outputObject.properties.policyDefinitions = @($outputObject.properties.policyDefinitions) + } } "microsoft.authorization/roleassignments" { $outputObject = [RoleAssignment]::new($ResourceObject) @@ -691,7 +695,7 @@ function Invoke-RemoveOrphanedRoleAssignment { throw $getResponse.Content } - # Get a list of assigned principalId values and lookup against AAD + # Get a list of assigned principalId values and lookup against Microsoft Entra ID $principalsRequestUri = "https://graph.microsoft.com/v1.0/directoryObjects/microsoft.graph.getByIds" $principalsRequestBody = @{ ids = $roleAssignments.properties.principalId @@ -699,7 +703,7 @@ function Invoke-RemoveOrphanedRoleAssignment { $principalsResponse = Invoke-AzRestMethod -Method "POST" -Uri $principalsRequestUri -Payload $principalsRequestBody -WhatIf:$false $principalIds = ($principalsResponse.Content | ConvertFrom-Json).value.id - # Find all Role Assignments where the principalId is not found in AAD + # Find all Role Assignments where the principalId is not found in Microsoft Entra ID $orphanedRoleAssignments = $roleAssignments | Where-Object { ($_.properties.scope -eq "/subscriptions/$($subId)") -and ($_.properties.principalId -notin $principalIds) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS.json index 6be9ff1d51..31383ad3fa 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS.json @@ -9,7 +9,7 @@ "displayName": "AppService append sites with minimum TLS version to enforce.", "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -49,8 +49,8 @@ "if": { "allOf": [ { - "field": "type", - "equals": "Microsoft.Web/sites/config" + "field": "Microsoft.Web/sites/config/minTlsVersion", + "exists": "true" }, { "field": "Microsoft.Web/sites/config/minTlsVersion", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort.json b/src/resources/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort.json index 9a90a13abc..27d90714d3 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -24,8 +24,7 @@ "defaultValue": "Append", "allowedValues": [ "Append", - "Disabled", - "Modify" + "Disabled" ], "metadata": { "displayName": "Effect Azure Cache for Redis", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit.json new file mode 100644 index 0000000000..86e6da5199 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit.json @@ -0,0 +1,88 @@ +{ + "name": "Audit-AzureHybridBenefit", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Audit AHUB for eligible VMs", + "mode": "All", + "description": "Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets" + ] + }, + { + "equals": "MicrosoftWindowsServer", + "field": "Microsoft.Compute/imagePublisher" + }, + { + "equals": "WindowsServer", + "field": "Microsoft.Compute/imageOffer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2022-*" + } + ] + }, + { + "field": "Microsoft.Compute/licenseType", + "notEquals": "Windows_Server" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000000..8895148837 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization.json @@ -0,0 +1,69 @@ +{ + "name": "Audit-Disks-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Unused Disks driving cost should be avoided", + "mode": "All", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/diskState", + "equals": "Unattached" + }, + { + "allof": [ + { + "field": "name", + "notlike": "*-ASRReplica" + }, + { + "field": "name", + "notlike": "ms-asr-*" + }, + { + "field": "name", + "notlike": "asrseeddisk-*" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json new file mode 100644 index 0000000000..4dff20f57b --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json @@ -0,0 +1,127 @@ +{ + "name": "Audit-PrivateLinkDnsZones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Audit or Deny the creation of Private Link Private DNS Zones", + "description": "This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.2", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "privateLinkDnsZones": { + "type": "Array", + "metadata": { + "displayName": "Private Link Private DNS Zones", + "description": "An array of Private Link Private DNS Zones to check for the existence of in the assigned scope." + }, + "defaultValue": [ + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + { + "field": "name", + "in": "[[parameters('privateLinkDnsZones')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000000..bda95b88d4 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json @@ -0,0 +1,89 @@ +{ + "name": "Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Unused Public IP addresses driving cost should be avoided", + "mode": "All", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.", + "metadata": { + "version": "1.1.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.network/publicIpAddresses" + }, + { + "field": "Microsoft.Network/publicIPAddresses/publicIPAllocationMethod", + "equals": "Static" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/natGateway", + "exists": false + }, + { + "value": "[[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]", + "equals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/ipConfiguration", + "exists": false + }, + { + "value": "[[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]", + "equals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/publicIPPrefix", + "exists": false + }, + { + "value": "[[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000000..8d698e22c7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json @@ -0,0 +1,57 @@ +{ + "name": "Audit-ServerFarms-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Unused App Service plans driving cost should be avoided", + "mode": "All", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + { + "field": "Microsoft.Web/serverFarms/sku.tier", + "notEquals": "Free" + }, + { + "field": "Microsoft.Web/serverFarms/numberOfSites", + "equals": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json new file mode 100644 index 0000000000..e0d3e33ef7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-APIM-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "API Management services should use TLS version 1.2", + "description": "Azure API Management service should use TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + { + "anyOf": [ + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":\"true\"')]", + "greater": 0 + }, + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":true')]", + "greater": 0 + }, + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":\"true\"')]", + "greater": 0 + }, + { + "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":true')]", + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json new file mode 100644 index 0000000000..bb0b59e0aa --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json @@ -0,0 +1,78 @@ +{ + "name": "Deny-AppGw-Without-Tls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2", + "description": "This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "predefinedPolicyName": { + "type": "array", + "metadata": { + "displayName": "Predefined policy name", + "description": "Predefined policy name" + }, + "defaultValue": [ + "AppGwSslPolicy20220101", + "AppGwSslPolicy20170401S", + "AppGwSslPolicy20220101S" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "notEquals": "Predefined" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyType", + "exists": "false" + }, + { + "field": "Microsoft.Network/applicationGateways/sslPolicy.policyName", + "notIn": "[[parameters('predefinedPolicyName')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json new file mode 100644 index 0000000000..dbad204a06 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-AppService-without-BYOC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "App Service certificates must be stored in Key Vault", + "description": "App Service (including Logic apps and Function apps) must use certificates stored in Key Vault", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/certificates" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/certificates/keyVaultId", + "exists": "false" + }, + { + "field": "Microsoft.Web/certificates/keyVaultSecretName", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json new file mode 100644 index 0000000000..62e10290e9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AzFw-Without-Policy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Azure Firewall should have a default Firewall Policy", + "description": "This policy denies the creation of Azure Firewall without a default Firewall Policy.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + { + "field": "Microsoft.Network/azureFirewalls/firewallPolicy.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json new file mode 100644 index 0000000000..eefefd8d7c --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-CognitiveServices-NetworkAcls", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACLs should be restricted for Cognitive Services", + "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json new file mode 100644 index 0000000000..e306a69eb0 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json @@ -0,0 +1,95 @@ +{ + "name": "Deny-CognitiveServices-Resource-Kinds", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Only explicit kinds for Cognitive Services should be allowed", + "description": "Azure Cognitive Services should only create explicit allowed kinds.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedKinds": { + "type": "array", + "metadata": { + "displayName": "Effect", + "description": "Select the allowed resource kinds to be used with Cognitive Services" + }, + "allowedValues": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ], + "defaultValue": [ + "AnomalyDetector", + "ComputerVision", + "CognitiveServices", + "ContentModerator", + "CustomVision.Training", + "CustomVision.Prediction", + "Face", + "FormRecognizer", + "ImmersiveReader", + "LUIS", + "Personalizer", + "SpeechServices", + "TextAnalytics", + "TextTranslation", + "OpenAI" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "kind", + "notIn": "[[parameters('allowedKinds')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json new file mode 100644 index 0000000000..50f1fc531f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Outbound network access should be restricted for Cognitive Services", + "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku.json index 6049dcbb70..9098de181f 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku.json @@ -7,7 +7,7 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Deny non-premium Databricks sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", "metadata": { "version": "1.0.0", "category": "Databricks", @@ -49,4 +49,4 @@ } } } -} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json new file mode 100644 index 0000000000..7bf5dfbdf9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-EH-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces should use a valid TLS version", + "description": "Event Hub namespaces should use a valid TLS version.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "string", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum TLS version to be used by Event Hub" + }, + "defaultValue": "1.2" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "notEquals": "[[parameters('minTlsVersion')]" + }, + { + "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json new file mode 100644 index 0000000000..0e7c2dac4a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-EH-Premium-CMK", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Event Hub namespaces (Premium) should use a customer-managed key for encryption", + "description": "Event Hub namespaces (Premium) should use a customer-managed key for encryption.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "Microsoft.EventHub/namespaces/sku.name", + "equals": "Premium" + }, + { + "not": { + "field": "Microsoft.EventHub/namespaces/encryption.keySource", + "equals": "Microsoft.Keyvault" + } + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureAuth.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureAuth.json new file mode 100644 index 0000000000..0d9f25943a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureAuth.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-FileServices-InsecureAuth", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure authentication methods should be denied", + "description": "This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedAuthMethods": { + "type": "String", + "defaultValue": "NTLMv2", + "allowedValues": [ + "NTLMv2", + "Kerberos" + ], + "metadata": { + "displayName": "Authentication methods supported by server. Valid values are NTLMv2, Kerberos.", + "description": "The list of channelEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods", + "contains": "[[parameters('notAllowedAuthMethods')]" + }, + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureKerberos.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureKerberos.json new file mode 100644 index 0000000000..36c70d5345 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureKerberos.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-FileServices-InsecureKerberos", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure Kerberos ticket encryption should be denied", + "description": "This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedKerberosTicketEncryption": { + "type": "String", + "defaultValue": "RC4-HMAC", + "allowedValues": [ + "RC4-HMAC", + "AES-256" + ], + "metadata": { + "displayName": "Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.", + "description": "The list of kerberosTicketEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.kerberosTicketEncryption", + "contains": "[[parameters('notAllowedKerberosTicketEncryption')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbChannel.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbChannel.json new file mode 100644 index 0000000000..f7ef8fe763 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbChannel.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-FileServices-InsecureSmbChannel", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure SMB channel encryption should be denied", + "description": "This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedChannelEncryption": { + "type": "String", + "defaultValue": "AES-128-CCM", + "allowedValues": [ + "AES-128-CCM", + "AES-128-GCM", + "AES-256-GCM" + ], + "metadata": { + "displayName": "SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.", + "description": "The list of channelEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption", + "contains": "[[parameters('notAllowedChannelEncryption')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbVersions.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbVersions.json new file mode 100644 index 0000000000..f3c9e4e336 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbVersions.json @@ -0,0 +1,70 @@ +{ + "name": "Deny-FileServices-InsecureSmbVersions", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure SMB versions should be denied", + "description": "This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "allowedSmbVersion": { + "type": "String", + "defaultValue": "SMB3.1.1", + "allowedValues": [ + "SMB2.1", + "SMB3.0", + "SMB3.1.1" + ], + "metadata": { + "displayName": "Allowed SMB Version", + "description": "The allowed SMB version for maximum security" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "not": + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions", + "contains": "[[parameters('allowedSmbVersion')]" + } + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json new file mode 100644 index 0000000000..6160380383 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApp-Public-Network", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic apps should disable public network access", + "description": "Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json new file mode 100644 index 0000000000..e17b201b29 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-LogicApps-Without-Https", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Logic app should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + }, + { + "anyOf": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "exists": "false" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json index 458dfb7020..0682c33f21 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Azure Machine Learning should have disabled public network access", - "description": "Denies public network access for Azure Machine Learning workspaces.", + "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access", + "description": "Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "438c38d2-3772-465a-a9cc-7a6666a275ce", "alzCloudEnvironments": [ "AzureCloud" ] diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json new file mode 100644 index 0000000000..5489434e8f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json @@ -0,0 +1,255 @@ +{ + "name": "Deny-MgmtPorts-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Management port access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.", + "metadata": { + "version": "2.1.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deny-RDP-From-Internet", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ports": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "in": "[[parameters('ports')]" + }, + { + "count": { + "value": "[[parameters('ports')]", + "where": { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notIn": "[[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "in": "[[parameters('ports')]" + }, + { + "count": { + "value": "[[parameters('ports')]", + "name": "ports", + "where": { + "value": "[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notIn": "[[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http.json index 0307c75c9d..ebafdd4ce0 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http.json @@ -42,8 +42,8 @@ "TLSEnforcementDisabled" ], "metadata": { - "displayName": "Select version minimum TLS for MySQL server", - "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + "displayName": "Select version minimum TLS for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" } } }, diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json index c4b7c1da41..5254b68452 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Public network access should be disabled for MariaDB", - "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "displayName": "[Deprecated] Public network access should be disabled for MariaDB", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json index a74cfae326..c5c808d426 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deny the creation of public IP", - "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.", + "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.", "metadata": { "deprecated": true, + "supersededBy": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749", "version": "1.0.0-deprecated", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json index 186ee3f636..4fdaad1d55 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json @@ -6,10 +6,12 @@ "properties": { "policyType": "Custom", "mode": "All", - "displayName": "RDP access from the Internet should be blocked", - "description": "This policy denies any network security rule that allows RDP access from Internet", + "displayName": "[Deprecated] RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html", "metadata": { - "version": "1.0.0", + "deprecated": true, + "supersededBy": "Deny-MgmtPorts-From-Internet", + "version": "1.0.1-deprecated", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json new file mode 100644 index 0000000000..e658b6fe97 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Service-Endpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny or Audit service endpoints on subnets", + "description": "This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]", + "where": { + "field": "Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service", + "exists": true + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json new file mode 100644 index 0000000000..e0f3ad0387 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-ContainerDeleteRetentionPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should use a container delete retention policy", + "description": "Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minContainerDeleteRetentionInDays": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Container Delete Retention in Days", + "description": "Specifies the minimum number of days for the container delete retention policy" + }, + "defaultValue": 7 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "exists": false + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled", + "notEquals": true + }, + { + "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days", + "less": "[[parameters('minContainerDeleteRetentionInDays')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json new file mode 100644 index 0000000000..443b0eb6d7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json @@ -0,0 +1,74 @@ +{ + "name": "Deny-Storage-CopyScope", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Allowed Copy scope should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedCopyScope": { + "type": "String", + "metadata": { + "displayName": "Allowed Copy Scope", + "description": "Specify the allowed copy scope." + }, + "allowedValues": [ + "AAD", + "PrivateLink" + ], + "defaultValue": "AAD" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/allowedCopyScope", + "notEquals": "[[parameters('allowedCopyScope')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json new file mode 100644 index 0000000000..a4b40d50cf --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-CorsRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts should restrict CORS rules", + "description": "Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/tableServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/queueServices" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]" + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json new file mode 100644 index 0000000000..42af888d40 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-Storage-LocalUser", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Local users should be restricted for Storage Accounts", + "description": "Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json new file mode 100644 index 0000000000..d0c7321560 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json @@ -0,0 +1,90 @@ +{ + "name": "Deny-Storage-NetworkAclsBypass", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Network ACL bypass option should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "allowedBypassOptions": { + "type": "Array", + "metadata": { + "displayName": "Allowed Bypass Options", + "description": "Specifies which options are allowed to bypass the vnet configuration" + }, + "allowedValues": [ + "None", + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ], + "defaultValue": [ + "Logging", + "Metrics", + "AzureServices", + "Logging, Metrics", + "Logging, AzureServices", + "Metrics, AzureServices", + "Logging, Metrics, AzureServices", + "Logging, Metrics, AzureServices" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass", + "notIn": "[[parameters('allowedBypassOptions')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json new file mode 100644 index 0000000000..9c02e4b6ff --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Virtual network rules should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]" + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json new file mode 100644 index 0000000000..4e58437968 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesResourceId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules resource IDs should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]", + "where": { + "value": "[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]", + "equals": "*" + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json new file mode 100644 index 0000000000..91197f3ba0 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-Storage-ResourceAccessRulesTenantId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Resource Access Rules Tenants should be restricted for Storage Accounts", + "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "count": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]" + }, + "greater": 0 + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId", + "notEquals": "[[subscription().tenantId]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP.json new file mode 100644 index 0000000000..af46d7efa9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-Storage-SFTP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Accounts with SFTP enabled should be denied", + "description": "This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "Microsoft.Storage/storageAccounts/isSftpEnabled", + "equals": "true" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json new file mode 100644 index 0000000000..19f5127565 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json @@ -0,0 +1,102 @@ +{ + "name": "Deny-Storage-ServicesEncryption", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Encryption for storage services should be enforced for Storage Accounts", + "description": "Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled", + "notEquals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType", + "notEquals": "Account" + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "exists": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType", + "notEquals": "Account" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json index 0c980060a1..af3c967807 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json @@ -5,11 +5,13 @@ "scope": null, "properties": { "policyType": "Custom", - "mode": "Indexed", - "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "mode": "All", + "displayName": "[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html", "metadata": { - "version": "1.0.0", + "deprecated": true, + "supersededBy": "fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9", + "version": "1.0.0-deprecated", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-StorageAccount-CustomDomain.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-StorageAccount-CustomDomain.json new file mode 100644 index 0000000000..95f36b86bf --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-StorageAccount-CustomDomain.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-StorageAccount-CustomDomain", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts with custom domains assigned should be denied", + "description": "This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/customDomain", + "exists": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/customDomain.useSubDomainName", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Penp.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Penp.json new file mode 100644 index 0000000000..f86e06a067 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Penp.json @@ -0,0 +1,101 @@ +{ + "name": "Deny-Subnet-Without-Penp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets without Private Endpoint Network Policies enabled should be denied", + "description": "This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies", + "notEquals": "Enabled" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-UDR-With-Specific-NextHop.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-UDR-With-Specific-NextHop.json new file mode 100644 index 0000000000..1e2ae1545d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-UDR-With-Specific-NextHop.json @@ -0,0 +1,87 @@ +{ + "name": "Deny-UDR-With-Specific-NextHop", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied", + "description": "This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedDestinations": { + "type": "Array", + "metadata": { + "displayName": "Excluded Destinations", + "description": "Array of route destinations that are to be denied" + }, + "defaultValue": [ + "Internet", + "VirtualNetworkGateway" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/routeTables", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "field": "Microsoft.Network/routeTables/routes[*].nextHopType", + "in": "[[parameters('excludedDestinations')]" + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables/routes" + }, + { + "field": "Microsoft.Network/routeTables/routes/nextHopType", + "in": "[[parameters('excludedDestinations')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json new file mode 100644 index 0000000000..3d609d5f28 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json @@ -0,0 +1,38 @@ +{ + "name": "DenyAction-ActivityLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "DenyAction implementation on Activity Logs", + "description": "This is a DenyAction implementation policy on Activity Logs.", + "metadata": { + "deprecated": false, + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings" + }, + "then": { + "effect": "denyAction", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json new file mode 100644 index 0000000000..caf12e580c --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json @@ -0,0 +1,72 @@ +{ + "name": "DenyAction-DeleteResources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Do not allow deletion of specified resource and resource type", + "description": "This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.", + "metadata": { + "version": "1.0.0", + "category": "General", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "resourceName": { + "type": "String", + "metadata": { + "displayName": "Resource Name", + "description": "Provide the name of the resource that you want to protect from accidental deletion." + } + }, + "resourceType": { + "type": "String", + "metadata": { + "displayName": "Resource Type", + "description": "Provide the resource type that you want to protect from accidental deletion." + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "[[parameters('resourceType')]" + }, + { + "field": "name", + "like": "[[parameters('resourceName')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json new file mode 100644 index 0000000000..e019d9828c --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json @@ -0,0 +1,38 @@ +{ + "name": "DenyAction-DiagnosticLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "DenyAction implementation on Diagnostic Logs.", + "description": "DenyAction implementation on Diagnostic Logs.", + "metadata": { + "deprecated": false, + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Insights/diagnosticSettings" + }, + "then": { + "effect": "denyAction", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json index b8241b9948..0b86bfaa49 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json @@ -9,7 +9,7 @@ "displayName": "Deploy Microsoft Defender for Cloud Security Contacts", "description": "Deploy Microsoft Defender for Cloud Security Contacts", "metadata": { - "version": "1.1.0", + "version": "2.0.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -20,14 +20,14 @@ }, "parameters": { "emailSecurityContact": { - "type": "string", + "type": "String", "metadata": { "displayName": "Security contacts email address", - "description": "Provide email address for Azure Security Center contact details" + "description": "Provide email addresses (semi-colon separated) for Defender for Cloud contact details" } }, "effect": { - "type": "string", + "type": "String", "defaultValue": "DeployIfNotExists", "allowedValues": [ "DeployIfNotExists", @@ -39,7 +39,7 @@ } }, "minimalSeverity": { - "type": "string", + "type": "String", "defaultValue": "High", "allowedValues": [ "High", @@ -77,20 +77,12 @@ "contains": "[[parameters('emailSecurityContact')]" }, { - "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity", - "contains": "[[parameters('minimalSeverity')]" - }, - { - "field": "type", - "equals": "Microsoft.Security/securityContacts" + "field": "Microsoft.Security/securityContacts/isEnabled", + "equals": true }, { - "field": "Microsoft.Security/securityContacts/alertNotifications", - "equals": "On" - }, - { - "field": "Microsoft.Security/securityContacts/alertsToAdmins", - "equals": "On" + "field": "Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity", + "contains": "[[parameters('minimalSeverity')]" } ] }, @@ -128,19 +120,22 @@ { "type": "Microsoft.Security/securityContacts", "name": "default", - "apiVersion": "2020-01-01-preview", + "apiVersion": "2023-12-01-preview", "properties": { "emails": "[[parameters('emailSecurityContact')]", + "isEnabled": true, "notificationsByRole": { "state": "On", "roles": [ "Owner" ] }, - "alertNotifications": { - "state": "On", - "minimalSeverity": "[[parameters('minimalSeverity')]" - } + "notificationsSources": [ + { + "sourceType": "Alert", + "minimalSeverity": "[[parameters('minimalSeverity')]" + } + ] } } ], diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA.json index 01f9b402d8..5152b72911 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI.json index 1a96700508..8e8dc30141 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR.json index 32bdaf0f8c..e1aa102aec 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt.json index afb2790b9e..aa49c4dbaf 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", - "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -27,6 +28,18 @@ "strongType": "omsWorkspace" } }, + "logAnalyticsDestinationType": { + "type": "String", + "metadata": { + "displayName": "Log Analytics destination type", + "description": "Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'" + }, + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ] + }, "effect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -115,6 +128,9 @@ "logAnalytics": { "type": "String" }, + "logAnalyticsDestinationType": { + "type": "String" + }, "location": { "type": "String" }, @@ -158,7 +174,8 @@ "category": "WebSocketConnectionLogs", "enabled": "[[parameters('logsEnabled')]" } - ] + ], + "logAnalyticsDestinationType": "[[parameters('logAnalyticsDestinationType')]" } } ], @@ -168,6 +185,9 @@ "logAnalytics": { "value": "[[parameters('logAnalytics')]" }, + "logAnalyticsDestinationType": { + "value": "[[parameters('logAnalyticsDestinationType')]" + }, "location": { "value": "[[field('location')]" }, diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json index 1ad786a6e8..8be6cf7315 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService.json index 49d9cc7a7a..04243204d1 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR.json index 9b8da67325..fecf24a6b9 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway.json index a2f20ca2e2..de0103ee37 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion.json index 220b581b1f..b0aa1d5576 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints.json index 313bbf613f..f01f507289 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", - "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices.json index 59c0644541..4e93fc6622 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB.json index 2d4ff4c60d..7ff379fadb 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -181,6 +182,10 @@ { "category": "GremlinRequests", "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TableApiRequests", + "enabled": "[[parameters('logsEnabled')]" } ] } diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics.json index 9265d6ab04..7bd4c942b1 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster.json index e6cb73479f..aaeb6fb016 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory.json index d94d126bed..e724451c11 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks.json index cce90a9089..b6b919178b 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.3.0", + "deprecated": true, + "version": "1.3.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub.json index bb043da94c..cda639a37d 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic.json index 9d34d56baf..750e9cb451 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic.json index af107e9cbe..bc74e81055 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -157,6 +158,10 @@ { "category": "PublishFailures", "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DataPlaneRequests", + "enabled": "[[parameters('logsEnabled')]" } ] } diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute.json index a47e8ad215..f30043a68a 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", - "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall.json index fdbab49876..a89bc1b24c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -27,6 +28,18 @@ "strongType": "omsWorkspace" } }, + "logAnalyticsDestinationType": { + "type": "String", + "metadata": { + "displayName": "Log Analytics destination type", + "description": "Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'" + }, + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ] + }, "effect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -115,6 +128,9 @@ "logAnalytics": { "type": "String" }, + "logAnalyticsDestinationType": { + "type": "String" + }, "location": { "type": "String" }, @@ -138,6 +154,7 @@ "dependsOn": [], "properties": { "workspaceId": "[[parameters('logAnalytics')]", + "logAnalyticsDestinationType": "[[parameters('logAnalyticsDestinationType')]", "metrics": [ { "category": "AllMetrics", @@ -220,6 +237,9 @@ "logAnalytics": { "value": "[[parameters('logAnalytics')]" }, + "logAnalyticsDestinationType": { + "value": "[[parameters('logAnalyticsDestinationType')]" + }, "location": { "value": "[[field('location')]" }, diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor.json index 4e00ca5526..9295ba7ffe 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function.json index 53f02f879f..46a14e276d 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight.json index 9743d94bc1..b433ac2680 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", - "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer.json index 0f95b01586..8ccb550931 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json index 9979f634a6..2390df430c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE.json index f2093cdabe..7d10a79f8f 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json index ec621723fe..f91ed51b2b 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json @@ -6,12 +6,13 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", - "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb", "metadata": { - "version": "1.1.0", + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", @@ -190,4 +191,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService.json index 6cdb6d6d41..663bf5e0ef 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace.json index 118d94ec75..8e9c856c07 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL.json index b8fcb4c094..3b0f2d992b 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC.json index 5286e4469e..0c677634d5 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups.json index 37b8694bed..eee97780d4 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL.json index 60e57cf1a1..0a09db448c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "2.0.0", + "deprecated": true, + "version": "2.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded.json index 7b1e3f5a1a..e9d5f5d832 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache.json index c8de512abd..b714bf675f 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay.json index 5284a02e6d..82ca19d601 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools.json index 16b986d757..cfeeba447e 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI.json index e682fb40df..54f907867e 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR.json index 93a3fd4384..0c15099cb0 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", - "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights.json index 103edbcb4f..a58c4cf7af 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager.json index 7773231024..7ba1f96024 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM.json index 597677d822..32adc05728 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS.json index 56642af20e..0173018c10 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW.json index 4c8996b9d4..07c7af631a 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", - "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json new file mode 100644 index 0000000000..049be9cef7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json @@ -0,0 +1,202 @@ +{ + "name": "Deploy-Diagnostics-VWanS2SVPNGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/vpnGateways" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/vpnGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork.json index 8eafa3f80f..0ae3e34f63 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup.json index b10f29c71b..0ef93d5f64 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools.json index 45d6c6a2bf..cf3f0d8e85 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.3.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -151,6 +152,10 @@ { "category": "SessionHostManagement", "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "ConnectionGraphicsData", + "enabled": "[[parameters('logsEnabled')]" } ] } diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace.json index 841563767f..8039c28817 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", - "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.1", + "deprecated": true, + "version": "1.1.1-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm.json index 2ad8661682..4a71124c30 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", - "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website.json index f9d7ef6977..06c8d87a79 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", - "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.2.0", + "deprecated": true, + "version": "1.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub.json index 093523a6aa..e8717ee0c1 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub.json @@ -6,10 +6,11 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", - "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "displayName": "[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "1.1.0", + "deprecated": true, + "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json new file mode 100644 index 0000000000..9932a32f64 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json @@ -0,0 +1,95 @@ +{ + "name": "Deploy-LogicApp-TLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Logic apps to use the latest TLS version", + "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.", + "metadata": { + "version": "1.0.0", + "category": "Logic Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "contains": "workflowapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Web/sites/config", + "name": "web", + "existenceCondition": { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "equals": "1.2" + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772" + ], + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "siteName": { + "value": "[[field('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "[[concat(parameters('siteName'), '/web')]", + "properties": { + "minTlsVersion": "1.2" + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json new file mode 100644 index 0000000000..74cb7ea088 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json @@ -0,0 +1,202 @@ +{ + "name": "Deploy-MDFC-Arc-SQL-DCR-Association", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "2227e1f1-23dd-4c3a-85a9-7024a401d8b2", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HybridCompute/machines" + }, + { + "field": "Microsoft.HybridCompute/machines/osName", + "equals": "Windows" + }, + { + "field": "Microsoft.HybridCompute/machines/mssqlDiscovered", + "equals": "true" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/dataCollectionRuleAssociations", + "name": "MicrosoftDefenderForSQL-RulesAssociation", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", + "subscriptionId": "[[subscription().subscriptionId]", + "defaultRGName": "[[parameters('resourceGroup')]", + "dcrName": "[[parameters('dcrName')]", + "dcrId": "[[parameters('dcrId')]", + "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]" + }, + "resources": [ + { + "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations", + "name": "[[variables('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", + "dataCollectionRuleId": "[[variables('dcrId')]" + } + } + ] + }, + "parameters": { + "resourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "vmName": { + "value": "[[field('name')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json new file mode 100644 index 0000000000..8acdfb9c26 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json @@ -0,0 +1,406 @@ +{ + "name": "Deploy-MDFC-Arc-Sql-DefenderSQL-DCR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "63d03cbd-47fd-4ee1-8a1c-9ddf07303de0", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Boolean", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HybridCompute/machines" + }, + { + "field": "Microsoft.HybridCompute/machines/osName", + "equals": "Windows" + }, + { + "field": "Microsoft.HybridCompute/machines/mssqlDiscovered", + "equals": "true" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/dataCollectionRules", + "deploymentScope": "subscription", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "location", + "equals": "[[parameters('workspaceRegion')]" + }, + { + "field": "name", + "equals": "[[parameters('dcrName')]" + } + ] + }, + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "userWorkspaceResourceId": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + }, + "dcrName": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", + "subscriptionId": "[[subscription().subscriptionId]", + "defaultRGName": "[[parameters('resourceGroup')]", + "defaultRGLocation": "[[parameters('workspaceRegion')]", + "dcrName": "[[parameters('dcrName')]", + "dcrId": "[[parameters('dcrId')]", + "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", + "deployDataCollectionRules": "[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", + "deployDataCollectionRulesAssociation": "[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[[empty(parameters('dcrResourceGroup'))]", + "type": "Microsoft.Resources/resourceGroups", + "name": "[[variables('defaultRGName')]", + "apiVersion": "2022-09-01", + "location": "[[variables('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + } + }, + { + "condition": "[[empty(parameters('dcrId'))]", + "type": "Microsoft.Resources/deployments", + "name": "[[variables('deployDataCollectionRules')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[[variables('defaultRGName')]", + "dependsOn": [ + "[[variables('defaultRGName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "defaultRGLocation": { + "value": "[[variables('defaultRGLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('userWorkspaceResourceId')]" + }, + "dcrName": { + "value": "[[variables('dcrName')]" + }, + "dcrId": { + "value": "[[variables('dcrId')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "defaultRGLocation": { + "type": "string" + }, + "workspaceResourceId": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrId": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "name": "[[parameters('dcrName')]", + "apiVersion": "2021-04-01", + "location": "[[parameters('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "description": "Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.", + "dataSources": { + "extensions": [ + { + "extensionName": "MicrosoftDefenderForSQL", + "name": "MicrosoftDefenderForSQL", + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "extensionSettings": { + "enableCollectionOfSqlQueriesForSecurityResearch": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[[parameters('workspaceResourceId')]", + "name": "LogAnalyticsDest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "destinations": [ + "LogAnalyticsDest" + ] + } + ] + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "name": "[[variables('deployDataCollectionRulesAssociation')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[[parameters('resourceGroup')]", + "dependsOn": [ + "[[variables('deployDataCollectionRules')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "dcrId": { + "value": "[[variables('dcrId')]" + }, + "dcraName": { + "value": "[[variables('dcraName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dcrId": { + "type": "string" + }, + "dcraName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations", + "name": "[[parameters('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.", + "dataCollectionRuleId": "[[parameters('dcrId')]" + } + } + ] + } + } + } + ] + }, + "parameters": { + "resourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "vmName": { + "value": "[[field('name')]" + }, + "userWorkspaceResourceId": { + "value": "[[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json new file mode 100644 index 0000000000..7e2e444abe --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json @@ -0,0 +1,177 @@ +{ + "name": "Deploy-MDFC-SQL-AMA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "f91991d1-5383-4c95-8ee5-5ac423dd8bb1", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Identity Resource Group", + "description": "The name of the resource group created by the policy." + }, + "defaultValue": "" + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User Assigned Managed Identity Name", + "description": "The name of the user assigned managed identity." + }, + "defaultValue": "" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftsqlserver" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "evaluationDelay": "AfterProvisioning", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "name": "[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "in": [ + "Succeeded", + "Provisioning succeeded" + ] + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + }, + "userAssignedIdentityName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[[parameters('location')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "apiVersion": "2023-03-01", + "properties": { + "publisher": "[[variables('extensionPublisher')]", + "type": "[[variables('extensionType')]", + "typeHandlerVersion": "[[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]" + }, + "userAssignedIdentityName": { + "value": "[[parameters('userAssignedIdentityName')]" + }, + "identityResourceGroup": { + "value": "[[parameters('identityResourceGroup')]" + } + } + } + } + } + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json new file mode 100644 index 0000000000..05db291836 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json @@ -0,0 +1,465 @@ +{ + "name": "Deploy-MDFC-SQL-DefenderSQL-DCR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "04754ef9-9ae3-4477-bf17-86ef50026304", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Boolean", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftsqlserver" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/dataCollectionRules", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "location", + "equals": "[[parameters('workspaceRegion')]" + }, + { + "field": "name", + "equals": "[[parameters('dcrName')]" + } + ] + }, + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroup": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "userWorkspaceResourceId": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + }, + "dcrName": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]", + "subscriptionId": "[[subscription().subscriptionId]", + "defaultRGName": "[[parameters('dcrResourceGroup')]", + "defaultRGLocation": "[[parameters('workspaceRegion')]", + "dcrName": "[[parameters('dcrName')]", + "dcrId": "[[parameters('dcrId')]", + "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]", + "deployDataCollectionRules": "[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]", + "deployDataCollectionRulesAssociation": "[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]", + "deployDefenderForSQL": "[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[[empty(parameters('dcrResourceGroup'))]", + "type": "Microsoft.Resources/resourceGroups", + "name": "[[variables('defaultRGName')]", + "apiVersion": "2022-09-01", + "location": "[[variables('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + } + }, + { + "type": "Microsoft.Resources/deployments", + "name": "[[variables('deployDefenderForSQL')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[[parameters('resourceGroup')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[[parameters('location')]" + }, + "vmName": { + "value": "[[parameters('vmName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[[parameters('location')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + } + } + ] + } + } + }, + { + "condition": "[[empty(parameters('dcrId'))]", + "type": "Microsoft.Resources/deployments", + "name": "[[variables('deployDataCollectionRules')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[[variables('defaultRGName')]", + "dependsOn": [ + "[[variables('defaultRGName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "defaultRGLocation": { + "value": "[[variables('defaultRGLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('userWorkspaceResourceId')]" + }, + "dcrName": { + "value": "[[variables('dcrName')]" + }, + "dcrId": { + "value": "[[variables('dcrId')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "defaultRGLocation": { + "type": "string" + }, + "workspaceResourceId": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrId": { + "type": "string" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "bool" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionRules", + "name": "[[parameters('dcrName')]", + "apiVersion": "2021-04-01", + "location": "[[parameters('defaultRGLocation')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "description": "Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.", + "dataSources": { + "extensions": [ + { + "extensionName": "MicrosoftDefenderForSQL", + "name": "MicrosoftDefenderForSQL", + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "extensionSettings": { + "enableCollectionOfSqlQueriesForSecurityResearch": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + } + } + ] + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[[parameters('workspaceResourceId')]", + "name": "LogAnalyticsDest" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DefenderForSqlAlerts", + "Microsoft-DefenderForSqlLogins", + "Microsoft-DefenderForSqlTelemetry", + "Microsoft-DefenderForSqlScanEvents", + "Microsoft-DefenderForSqlScanResults" + ], + "destinations": [ + "LogAnalyticsDest" + ] + } + ] + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "name": "[[variables('deployDataCollectionRulesAssociation')]", + "apiVersion": "2022-09-01", + "resourceGroup": "[[parameters('resourceGroup')]", + "dependsOn": [ + "[[variables('deployDataCollectionRules')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "dcrId": { + "value": "[[variables('dcrId')]" + }, + "dcraName": { + "value": "[[variables('dcraName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dcrId": { + "type": "string" + }, + "dcraName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations", + "name": "[[parameters('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", + "dataCollectionRuleId": "[[parameters('dcrId')]" + } + } + ] + } + } + } + ] + }, + "parameters": { + "resourceGroup": { + "value": "[[resourceGroup().name]" + }, + "location": { + "value": "[[field('location')]" + }, + "vmName": { + "value": "[[field('name')]" + }, + "userWorkspaceResourceId": { + "value": "[[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json new file mode 100644 index 0000000000..43f8d54493 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json @@ -0,0 +1,242 @@ +{ + "name": "Deploy-MDFC-SQL-DefenderSQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "displayName": "[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL", + "policyType": "Custom", + "mode": "Indexed", + "description": "Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftsqlserver" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]", + "evaluationDelay": "AfterProvisioning", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AdvancedThreatProtection.Windows" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.AzureDefenderForSQL" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "in": [ + "Succeeded", + "Provisioning succeeded" + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "dcrResourceGroup": { + "type": "string" + }, + "dcrName": { + "type": "string" + }, + "dcrId": { + "type": "string" + } + }, + "variables": { + "locationLongNameToShortMap": { + "australiacentral": "CAU", + "australiaeast": "EAU", + "australiasoutheast": "SEAU", + "brazilsouth": "CQ", + "canadacentral": "CCA", + "canadaeast": "CCA", + "centralindia": "CIN", + "centralus": "CUS", + "eastasia": "EA", + "eastus2euap": "eus2p", + "eastus": "EUS", + "eastus2": "EUS2", + "francecentral": "PAR", + "germanywestcentral": "DEWC", + "japaneast": "EJP", + "jioindiawest": "CIN", + "koreacentral": "SE", + "koreasouth": "SE", + "northcentralus": "NCUS", + "northeurope": "NEU", + "norwayeast": "NOE", + "southafricanorth": "JNB", + "southcentralus": "SCUS", + "southeastasia": "SEA", + "southindia": "CIN", + "swedencentral": "SEC", + "switzerlandnorth": "CHN", + "switzerlandwest": "CHW", + "uaenorth": "DXB", + "uksouth": "SUK", + "ukwest": "WUK", + "westcentralus": "WCUS", + "westeurope": "WEU", + "westindia": "CIN", + "westus": "WUS", + "westus2": "WUS2" + }, + "actualLocation": "[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]", + "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]", + "subscriptionId": "[[subscription().subscriptionId]", + "defaultRGName": "[[parameters('dcrResourceGroup')]", + "dcrName": "[[parameters('dcrName')]", + "dcrId": "[[parameters('dcrId')]", + "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]", + "apiVersion": "2023-03-01", + "location": "[[parameters('location')]", + "tags": { + "createdBy": "MicrosoftDefenderForSQL" + }, + "properties": { + "publisher": "Microsoft.Azure.AzureDefenderForSQL", + "type": "AdvancedThreatProtection.Windows", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true + }, + "dependsOn": [ + "[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]" + ] + }, + { + "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations", + "name": "[[variables('dcraName')]", + "apiVersion": "2021-04-01", + "properties": { + "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.", + "dataCollectionRuleId": "[[variables('dcrId')]" + } + } + ] + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "vmName": { + "value": "[[field('name')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + } + } + } + } + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement.json index fb236bc0a0..12d288e12c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,7 +84,7 @@ ] }, "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA.json index b29ea65d5f..f1b3cbdbd8 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", - "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html", "metadata": { "deprecated": true, + "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091", "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", @@ -41,7 +42,7 @@ "displayName": "Resource ID of Log Analytics workspace", "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." }, - "defaultValue": "" + "defaultValue": "" }, "effect": { "type": "String", @@ -231,4 +232,4 @@ } } } -} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs.json index 48b067cbdb..30caee3b50 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", - "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html", "metadata": { "deprecated": true, + "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091", "version": "1.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement.json index 02aafea9c3..29bef9f8cc 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -85,7 +85,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json new file mode 100644 index 0000000000..25a41b067e --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Private-DNS-Generic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy-Private-DNS-Generic", + "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", + "metadata": { + "version": "1.0.0", + "category": "Networking", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID for Paas services", + "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + }, + "resourceType": { + "type": "String", + "metadata": { + "displayName": "PaaS private endpoint resource type", + "description": "The PaaS endpoint resource type." + } + }, + "groupId": { + "type": "String", + "metadata": { + "displayName": "PaaS Private endpoint group ID (subresource)", + "description": "The group ID of the PaaS private endpoint. Also referred to as subresource." + } + }, + "evaluationDelay": { + "type": "String", + "metadata": { + "displayName": "Evaluation Delay", + "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" + }, + "defaultValue": "PT10M" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "[[parameters('resourceType')]" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "[[parameters('groupId')]" + } + ] + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "evaluationDelay": "[[parameters('evaluationDelay')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "PaaS-Service-Private-DNS-Zone-Config", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS.json index eac46ec7e9..23867cc99a 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -72,7 +72,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437" ], "deployment": { "properties": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde.json index 1296f35033..dad5578a7e 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde.json @@ -6,10 +6,12 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy SQL Database Transparent Data Encryption", - "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "displayName": "[Deprecated] Deploy SQL Database Transparent Data Encryption", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html", "metadata": { - "version": "1.1.0", + "deprecated": true, + "supersededBy": "86a912f6-9a06-4e26-b447-11b16ba8659f", + "version": "1.1.1-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json index 861f44cd0c..807f7299a8 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json @@ -6,12 +6,14 @@ "properties": { "policyType": "Custom", "mode": "Indexed", - "displayName": "Deploy SQL Database vulnerability Assessments", - "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "displayName": "[Deprecated]: Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html", "metadata": { - "version": "1.0.1", + "version": "1.0.1-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-vulnerabilityAssessments_20230706", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json new file mode 100644 index 0000000000..13b935a7c1 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json @@ -0,0 +1,147 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments_20230706", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Vulnerability Assessments", + "description": "Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-vulnerabilityAssessments", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "Array", + "metadata": { + "description": "The email address(es) to send alerts.", + "displayName": "The email address(es) to send alerts." + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]", + "where": { + "value": "current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])", + "notIn": "[[parameters('vulnerabilityAssessmentsEmail')]" + } + }, + "greater": 0 + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": "[[parameters('vulnerabilityAssessmentsEmail')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ] + } + } + } + } +} diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json index e60d8b31d3..a7e921a661 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -62,6 +62,7 @@ "effect": "[[parameters('effect')]", "details": { "type": "Microsoft.Sql/managedInstances", + "evaluationDelay": "AfterProvisioningSuccess", "existenceCondition": { "allOf": [ { @@ -72,7 +73,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d" ], "deployment": { "properties": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json index 0218890999..8cc105cab9 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,7 +84,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" ], "deployment": { "properties": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json new file mode 100644 index 0000000000..82a8bb8416 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json @@ -0,0 +1,405 @@ +{ + "name": "Deploy-UserAssignedManagedIdentity-VMInsights", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "displayName": "[Deprecated]: Deploy User Assigned Managed Identity for VM Insights", + "policyType": "Custom", + "mode": "Indexed", + "description": "Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Managed Identity", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "value": "[[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines", + "name": "[[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[[field('location')]" + }, + "uaName": { + "value": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[[field('name')]" + }, + "vmResourceGroup": { + "value": "[[resourceGroup().name]" + }, + "resourceId": { + "value": "[[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[[parameters('identityResourceGroup')]", + "location": "[[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[variables('deployUALockName')]", + "resourceGroup": "[[parameters('identityResourceGroup')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[[parameters('uaName')]" + }, + "location": { + "value": "[[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[[parameters('location')]" + } + ] + } + } + }, + { + "condition": "[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[variables('deployUAName')]", + "resourceGroup": "[[parameters('identityResourceGroup')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[variables('deployGetResourceProperties')]", + "location": "[[parameters('location')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[[parameters('vmResourceGroup')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[[variables('deployUAName')]", + "[[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[[parameters('vmName')]" + }, + "location": { + "value": "[[parameters('location')]" + }, + "identityType": { + "value": "[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines", + "name": "[[parameters('vmName')]", + "location": "[[parameters('location')]", + "identity": { + "type": "[[variables('identityTypeValue')]", + "userAssignedIdentities": "[[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json new file mode 100644 index 0000000000..e42d6a8f66 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Vm-autoShutdown", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Virtual Machine Auto Shutdown Schedule", + "description": "Deploys an auto shutdown schedule to a virtual machine", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "time": { + "type": "String", + "metadata": { + "displayName": "Scheduled Shutdown Time", + "description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM" + }, + "defaultValue": "0000" + }, + "timeZoneId": { + "type": "string", + "defaultValue": "UTC", + "metadata": { + "displayName": "Time zone", + "description": "The time zone ID (e.g. Pacific Standard time)." + } + }, + "EnableNotification": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "displayName": "Send Notification before auto-shutdown", + "description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)." + }, + "allowedValues": [ + "Disabled", + "Enabled" + ] + }, + "NotificationEmailRecipient": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Email Address", + "description": "Email address to be used for notification" + } + }, + "NotificationWebhookUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Webhook URL", + "description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen." + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.DevTestLab/schedules", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DevTestLab/schedules/taskType", + "equals": "ComputeVmShutdownTask" + }, + { + "field": "Microsoft.DevTestLab/schedules/targetResourceId", + "equals": "[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "time": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM" + } + }, + "timeZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The time zone ID (e.g. Pacific Standard time)." + } + }, + "EnableNotification": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)." + } + }, + "NotificationEmailRecipient": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to be used for notification" + } + }, + "NotificationWebhookUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen." + } + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat('shutdown-computevm-',parameters('vmName'))]", + "type": "Microsoft.DevTestLab/schedules", + "location": "[[parameters('location')]", + "apiVersion": "2018-09-15", + "properties": { + "status": "Enabled", + "taskType": "ComputeVmShutdownTask", + "dailyRecurrence": { + "time": "[[parameters('time')]" + }, + "timeZoneId": "[[parameters('timeZoneId')]", + "notificationSettings": { + "status": "[[parameters('EnableNotification')]", + "timeInMinutes": 30, + "webhookUrl": "[[parameters('NotificationWebhookUrl')]", + "emailRecipient": "[[parameters('NotificationEmailRecipient')]", + "notificationLocale": "en" + }, + "targetResourceId": "[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + } + } + ], + "outputs": {} + }, + "parameters": { + "vmName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + }, + "time": { + "value": "[[parameters('time')]" + }, + "timeZoneId": { + "value": "[[parameters('timeZoneId')]" + }, + "EnableNotification": { + "value": "[[parameters('EnableNotification')]" + }, + "NotificationEmailRecipient": { + "value": "[[parameters('NotificationEmailRecipient')]" + }, + "NotificationWebhookUrl": { + "value": "[[parameters('NotificationWebhookUrl')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json new file mode 100644 index 0000000000..c8c8be1153 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json @@ -0,0 +1,129 @@ +{ + "name": "Modify-NSG", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of Network Security Groups (NSG)", + "description": "This policy enforces the configuration of Network Security Groups (NSG).", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "nsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "nsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "nsgRuleDirection": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "defaultValue": "Outbound" + }, + "nsgRuleAccess": { + "type": "string", + "allowedValues": [ + "Allow", + "Deny" + ], + "defaultValue": "Deny" + }, + "nsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "nsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "nsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "value": { + "name": "[[parameters('nsgRuleName')]", + "properties": { + "description": "[[parameters('nsgRuleDescription')]", + "protocol": "[[parameters('nsgRuleProtocol')]", + "sourcePortRange": "[[parameters('nsgRuleSourcePortRange')]", + "destinationPortRange": "[[parameters('nsgRuleDestinationPortRange')]", + "sourceAddressPrefix": "[[parameters('nsgRuleSourceAddressPrefix')]", + "destinationAddressPrefix": "[[parameters('nsgRuleDestinationAddressPrefix')]", + "access": "[[parameters('nsgRuleAccess')]", + "priority": "[[parameters('nsgRulePriority')]", + "direction": "[[parameters('nsgRuleDirection')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json new file mode 100644 index 0000000000..eb698e5d84 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json @@ -0,0 +1,103 @@ +{ + "name": "Modify-UDR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Enforce specific configuration of User-Defined Routes (UDR)", + "description": "This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.", + "displayName": "Address Prefix" + } + }, + "nextHopType": { + "type": "string", + "metadata": { + "description": "The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.", + "displayName": "Next Hop Type" + }, + "allowedValues": [ + "VnetLocal", + "VirtualNetworkGateway", + "Internet", + "VirtualAppliance", + "None" + ] + }, + "nextHopIpAddress": { + "type": "string", + "metadata": { + "description": "The IP address packets should be forwarded to.", + "displayName": "Next Hop IP Address" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]" + }, + "equals": 0 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "add", + "field": "Microsoft.Network/routeTables/routes[*]", + "value": { + "name": "default", + "properties": { + "addressPrefix": "[[parameters('addressPrefix')]", + "nextHopType": "[[parameters('nextHopType')]", + "nextHopIpAddress": "[[parameters('nextHopIpAddress')]" + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json new file mode 100644 index 0000000000..324ce38f97 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json @@ -0,0 +1,59 @@ +{ + "name": "Audit-TrustedLaunch", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Audit virtual machines for Trusted Launch support", + "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", + "metadata": { + "version": "1.0.0", + "category": "Trusted Launch", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AuditDisksOsTrustedLaunch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditTrustedLaunchEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000000..3c4c556a1a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json @@ -0,0 +1,102 @@ +{ + "name": "Audit-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Unused resources driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", + "metadata": { + "version": "2.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effectDisks": { + "type": "String", + "metadata": { + "displayName": "Disks Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Compute/disks" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectPublicIpAddresses": { + "type": "String", + "metadata": { + "displayName": "PublicIpAddresses Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectServerFarms": { + "type": "String", + "metadata": { + "displayName": "ServerFarms Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Web/serverfarms" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AuditDisksUnusedResourcesCostOptimization", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectDisks')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectPublicIpAddresses')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectServerFarms')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditAzureHybridBenefitUnusedResourcesCostOptimization", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit", + "parameters": { + "effect": { + "value": "Audit" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json index bc0ce7fa91..5cb86665e4 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -119,6 +119,19 @@ "Disabled" ], "defaultValue": "Deny" + }, + "MariaDbPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure MariaDB", + "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" } }, "policyDefinitions": [ @@ -201,6 +214,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDbDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json index af5f893eb1..d7bc4f615f 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json @@ -119,6 +119,19 @@ "Disabled" ], "defaultValue": "Deny" + }, + "MariaDbPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure MariaDB", + "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" } }, "policyDefinitions": [ @@ -201,6 +214,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDbDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB", + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json index 3303dc7f9d..6ce59a69ee 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json @@ -1,254 +1,973 @@ { - "name": "Deny-PublicPaaSEndpoints", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Public network access should be disabled for PaaS services", - "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", - "metadata": { - "version": "1.0.1", - "category": "Network", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud" - ] - }, - "parameters": { - "CosmosPublicIpDenyEffect": { - "type": "String", + "name": "Deny-PublicPaaSEndpoints", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "displayName": "Public network access should be disabled for CosmosDB", - "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + "version": "5.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "KeyVaultPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for KeyVault", - "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "SqlServerPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure SQL Database should be disabled", - "description": "This policy denies creation of Sql servers with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "StoragePublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access onStorage accounts should be disabled", - "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AKSPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on AKS API should be disabled", - "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "ACRPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure Container Registry disabled", - "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "AFSPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access on Azure File Sync disabled", - "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "PostgreSQLFlexPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for PostgreSql Flexible Server", - "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "MySQLFlexPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for MySQL Flexible Server", - "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - }, - "BatchPublicIpDenyEffect": { - "type": "String", - "metadata": { - "displayName": "Public network access should be disabled for Azure Batch Instances", - "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny" - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", - "parameters": { - "effect": { - "value": "[[parameters('CosmosPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", - "parameters": { - "effect": { - "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", - "parameters": { - "effect": { - "value": "[[parameters('SqlServerPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", - "parameters": { - "effect": { - "value": "[[parameters('StoragePublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", "parameters": { - "effect": { - "value": "[[parameters('AKSPublicIpDenyEffect')]" - } + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registries with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "postgreSqlPublicNetworkAccess": { + "type": "string", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSQL servers", + "description": "This policy denies creation of PostgreSQL DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MariaDbPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure MariaDB", + "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MlPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Machine Learning", + "description": "This policy denies creation of Azure Machine Learning with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "RedisCachePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Cache for Redis", + "description": "This policy denies creation of Azure Cache for Redis with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BotServicePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Bot Service", + "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AutomationPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Automation accounts", + "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AppConfigPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Configuration", + "description": "This policy denies creation of App Configuration with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "FunctionPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "FunctionAppSlotPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service Environment apps", + "description": "This policy denies creation of App Service Environment apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service apps", + "description": "This policy denies creation of App Service apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ApiManPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for API Management services", + "description": "This policy denies creation of API Management services with exposed public endpoints" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + }, + "ContainerAppsEnvironmentDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Container Apps environment should disable public network access", + "description": "This policy denies creation of Container Apps Environment with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsrVaultDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Azure Recovery Services vaults should disable public network access", + "description": "This policy denies creation of Azure Recovery Services vaults with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "logicAppPublicNetworkAccessEffect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "appSlotsPublicNetworkAccess": { + "type": "string", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "cognitiveSearchPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "managedDiskPublicNetworkAccess": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "containerAppsPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmDisablePublicNetwork": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsPublicAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapsePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdHostPoolPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "avdWorkspacePublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "grafanaPublicNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", - "parameters": { - "effect": { - "value": "[[parameters('ACRPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", - "parameters": { - "effect": { - "value": "[[parameters('AFSPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", - "parameters": { - "effect": { - "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "BatchDenyPublicIP", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", - "parameters": { - "effect": { - "value": "[[parameters('BatchPublicIpDenyEffect')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } -} + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDbDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "parameters": { + "effect": { + "value": "[[parameters('MlPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", + "parameters": { + "effect": { + "value": "[[parameters('RedisCachePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BotServiceDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", + "parameters": { + "effect": { + "value": "[[parameters('BotServicePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "parameters": { + "effect": { + "value": "[[parameters('AutomationPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppConfigDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", + "parameters": { + "effect": { + "value": "[[parameters('AppConfigPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", + "parameters": { + "effect": { + "value": "[[parameters('FunctionPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppSlotPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AseDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", + "parameters": { + "effect": { + "value": "[[parameters('AsePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", + "parameters": { + "effect": { + "value": "[[parameters('AsPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApiManDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "parameters": { + "effect": { + "value": "[[parameters('ApiManPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", + "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "parameters": { + "effect": { + "value": "[[parameters('AsrVaultDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('logicAppPublicNetworkAccessEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", + "policyDefinitionReferenceId": "Deny-AppSlots-Public", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appSlotsPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", + "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094", + "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('managedDiskPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", + "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", + "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", + "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", + "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", + "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetwork')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13", + "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDisablePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", + "policyDefinitionReferenceId": "Deny-Storage-Public-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsPublicAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", + "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapsePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", + "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspacePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", + "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", + "policyDefinitionReferenceId": "Deny-Grafana-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('grafanaPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json new file mode 100644 index 0000000000..5bd4ca7e1b --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json @@ -0,0 +1,37 @@ +{ + "name": "DenyAction-DeleteProtection", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", + "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json new file mode 100644 index 0000000000..21d11434e9 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json @@ -0,0 +1,153 @@ +{ + "name": "Deploy-AUM-CheckUpdates", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "assessmentMode": { + "type": "String", + "metadata": { + "displayName": "Assessment mode", + "description": "Assessment mode for the machines." + }, + "allowedValues": [ + "ImageDefault", + "AutomaticByPlatform" + ], + "defaultValue": "AutomaticByPlatform" + }, + "locations": { + "type": "Array", + "metadata": { + "displayName": "Machines locations", + "description": "The list of locations from which machines need to be targeted.", + "strongType": "location" + }, + "defaultValue": [] + }, + "tagValues": { + "type": "Object", + "metadata": { + "displayName": "Tags on machines", + "description": "The list of tags that need to matched for getting target machines." + }, + "defaultValue": {} + }, + "tagOperator": { + "type": "String", + "metadata": { + "displayName": "Tag operator", + "description": "Matching condition for resource tags" + }, + "allowedValues": [ + "All", + "Any" + ], + "defaultValue": "Any" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "parameters": { + "assessmentMode": { + "value": "[[parameters('assessmentMode')]" + }, + "osType": { + "value": "Windows" + }, + "locations": { + "value": "[[parameters('locations')]" + }, + "tagValues": { + "value": "[[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[[parameters('tagOperator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "parameters": { + "assessmentMode": { + "value": "[[parameters('assessmentMode')]" + }, + "osType": { + "value": "Linux" + }, + "locations": { + "value": "[[parameters('locations')]" + }, + "tagValues": { + "value": "[[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[[parameters('tagOperator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "parameters": { + "assessmentMode": { + "value": "[[parameters('assessmentMode')]" + }, + "osType": { + "value": "Windows" + }, + "locations": { + "value": "[[parameters('locations')]" + }, + "tagValues": { + "value": "[[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[[parameters('tagOperator')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "parameters": { + "assessmentMode": { + "value": "[[parameters('assessmentMode')]" + }, + "osType": { + "value": "Linux" + }, + "locations": { + "value": "[[parameters('locations')]" + }, + "tagValues": { + "value": "[[parameters('tagValues')]" + }, + "tagOperator": { + "value": "[[parameters('tagOperator')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json index 8b2c8ff99d..ee18af091c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json @@ -775,6 +775,18 @@ "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } + }, + "VWanS2SVPNGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } } }, "policyDefinitions": [ @@ -1782,8 +1794,24 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null } -} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json index 84f4fa1df4..313023a4aa 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json @@ -775,6 +775,18 @@ "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } + }, + "VWanS2SVPNGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } } }, "policyDefinitions": [ @@ -1782,8 +1794,24 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null } -} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json index ab5afbb9a0..ecccf2cb8b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json @@ -5,10 +5,11 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy Diagnostic Settings to Azure Services", - "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "displayName": "[Deprecated]: Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.", "metadata": { - "version": "2.0.0", + "deprecated": true, + "version": "2.2.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -104,6 +105,18 @@ "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, + "APIMgmtLogAnalyticsDestinationType": { + "type": "String", + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "metadata": { + "displayName": "Destination table for the Diagnostic Setting for API Management to Log Analytics workspace", + "description": "Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'" + } + }, "ApplicationGatewayLogAnalyticsEffect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -320,6 +333,18 @@ "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } }, + "FirewallLogAnalyticsDestinationType": { + "type": "String", + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "metadata": { + "displayName": "Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace", + "description": "Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'" + } + }, "FrontDoorLogAnalyticsEffect": { "type": "String", "defaultValue": "DeployIfNotExists", @@ -799,6 +824,18 @@ "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" } + }, + "VWanS2SVPNGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } } }, "policyDefinitions": [ @@ -1033,6 +1070,9 @@ "logAnalytics": { "value": "[[parameters('logAnalytics')]" }, + "logAnalyticsDestinationType": { + "value": "[[parameters('APIMgmtLogAnalyticsDestinationType')]" + }, "effect": { "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" }, @@ -1321,6 +1361,9 @@ "logAnalytics": { "value": "[[parameters('logAnalytics')]" }, + "logAnalyticsDestinationType": { + "value": "[[parameters('FirewallLogAnalyticsDestinationType')]" + }, "effect": { "value": "[[parameters('FirewallLogAnalyticsEffect')]" }, @@ -1905,8 +1948,24 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null } -} \ No newline at end of file +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json index c0ad6e9efd..e957cd0a10 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json @@ -1,337 +1,450 @@ { - "name": "Deploy-MDFC-Config", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Deploy Microsoft Defender for Cloud configuration", - "description": "Deploy Microsoft Defender for Cloud configuration", - "metadata": { - "version": "3.1.1", - "category": "Security Center", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud" - ] - }, - "parameters": { - "emailSecurityContact": { - "type": "string", + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "[Deprecated]: Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html", "metadata": { - "displayName": "Security contacts email address", - "description": "Provide email address for Microsoft Defender for Cloud contact details" - } - }, - "minimalSeverity": { - "type": "string", - "allowedValues": [ - "High", - "Medium", - "Low" - ], - "defaultValue": "High", - "metadata": { - "displayName": "Minimal severity", - "description": "Defines the minimal alert severity which will be sent as email notifications" - } - }, - "logAnalytics": { - "type": "String", - "metadata": { - "displayName": "Primary Log Analytics workspace", - "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", - "strongType": "omsWorkspace" - } - }, - "ascExportResourceGroupName": { - "type": "String", - "metadata": { - "displayName": "Resource Group name for the export to Log Analytics workspace configuration", - "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." - } - }, - "ascExportResourceGroupLocation": { - "type": "String", - "metadata": { - "displayName": "Resource Group location for the export to Log Analytics workspace configuration", - "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." - } - }, - "enableAscForCosmosDbs": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForSql": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForSqlOnVm": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForDns": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForArm": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForOssDb": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForAppServices": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForKeyVault": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForStorage": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForContainers": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - }, - "enableAscForServers": { - "type": "String", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "defaultValue": "DeployIfNotExists", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - } - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "defenderForOssDb", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForOssDb')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForVM", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForServers')]" - } + "version": "7.0.0-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-MDFC-Config_20240319", + "alzCloudEnvironments": [ + "AzureCloud" + ] }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", "parameters": { - "effect": { - "value": "[[parameters('enableAscForSqlOnVm')]" - } + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForDns": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "default", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForAppServices", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForAppServices')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForStorageAccounts", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForStorage')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderforContainers", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForContainers')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForKeyVaults", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", - "parameters": { - "Effect": { - "value": "[[parameters('enableAscForKeyVault')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForDns", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForDns')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForArm", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForArm')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForSqlPaas", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForSql')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "defenderForCosmosDbs", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", - "parameters": { - "effect": { - "value": "[[parameters('enableAscForCosmosDbs')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "securityEmailContact", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", - "parameters": { - "emailSecurityContact": { - "value": "[[parameters('emailSecurityContact')]" - }, - "minimalSeverity": { - "value": "[[parameters('minimalSeverity')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "ascExport", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", - "parameters": { - "resourceGroupName": { - "value": "[[parameters('ascExportResourceGroupName')]" - }, - "resourceGroupLocation": { - "value": "[[parameters('ascExportResourceGroupLocation')]" - }, - "workspaceResourceId": { - "value": "[[parameters('logAnalytics')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForDns", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForApis", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForApis')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "migrateToMdeTvm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", + "parameters": { + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json new file mode 100644 index 0000000000..e62007a4a8 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json @@ -0,0 +1,405 @@ +{ + "name": "Deploy-MDFC-Config_20240319", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-MDFC-Config", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "mdeTvm", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "migrateToMdeTvm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", + "parameters": { + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json new file mode 100644 index 0000000000..796e0bd68e --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json @@ -0,0 +1,239 @@ +{ + "name": "Deploy-MDFC-DefenderSQL-AMA", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW", + "description": "Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "de01d381-bae9-4670-8870-786f89f49e26", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "Workspace region", + "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "location" + } + }, + "dcrName": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Name", + "description": "Name of the Data Collection Rule." + } + }, + "dcrResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Resource Group", + "description": "Resource Group of the Data Collection Rule." + } + }, + "dcrId": { + "type": "String", + "metadata": { + "displayName": "Data Collection Rule Id", + "description": "Id of the Data Collection Rule." + } + }, + "userWorkspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Workspace Resource Id", + "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.", + "strongType": "omsWorkspace" + } + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "type": "Boolean", + "metadata": { + "displayName": "Enable collection of SQL queries for security research", + "description": "Enable or disable the collection of SQL queries for security research." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "Identity Resource Group", + "description": "The name of the resource group created by the policy." + }, + "defaultValue": "" + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User Assigned Managed Identity Name", + "description": "The name of the user assigned managed identity." + }, + "defaultValue": "" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForSqlArcAma", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlArcMdsql", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlArcMdsqlDcr", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "userWorkspaceResourceId": { + "value": "[[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlArcDcrAssociation", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlAma", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "identityResourceGroup": { + "value": "[[parameters('identityResourceGroup')]" + }, + "userAssignedIdentityName": { + "value": "[[parameters('userAssignedIdentityName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlMdsql", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlMdsqlDcr", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR", + "parameters": { + "effect": { + "value": "Disabled" + }, + "userWorkspaceResourceId": { + "value": "[[parameters('userWorkspaceResourceId')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]" + }, + "dcrName": { + "value": "[[parameters('dcrName')]" + }, + "dcrResourceGroup": { + "value": "[[parameters('dcrResourceGroup')]" + }, + "dcrId": { + "value": "[[parameters('dcrId')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json index 9ce7fb156b..fc77ee5981 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -18,6 +18,7 @@ "parameters": { "azureFilePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureFilePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -26,6 +27,7 @@ }, "azureWebPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureWebPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -34,6 +36,7 @@ }, "azureBatchPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureBatchPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -42,6 +45,7 @@ }, "azureAppPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAppPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -50,6 +54,7 @@ }, "azureAsrPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAsrPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -58,6 +63,7 @@ }, "azureIotPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureIotPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -66,6 +72,7 @@ }, "azureKeyVaultPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureKeyVaultPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -74,6 +81,7 @@ }, "azureSignalRPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureSignalRPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -82,6 +90,7 @@ }, "azureAppServicesPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAppServicesPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -90,6 +99,7 @@ }, "azureEventGridTopicsPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureEventGridTopicsPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -98,6 +108,7 @@ }, "azureDiskAccessPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureDiskAccessPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -106,6 +117,7 @@ }, "azureCognitiveServicesPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureCognitiveServicesPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -114,6 +126,7 @@ }, "azureIotHubsPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureIotHubsPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -122,6 +135,7 @@ }, "azureEventGridDomainsPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureEventGridDomainsPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -130,6 +144,7 @@ }, "azureRedisCachePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureRedisCachePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -138,6 +153,7 @@ }, "azureAcrPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAcrPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -146,6 +162,7 @@ }, "azureEventHubNamespacePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureEventHubNamespacePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -154,6 +171,7 @@ }, "azureMachineLearningWorkspacePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -162,6 +180,7 @@ }, "azureServiceBusNamespacePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureServiceBusNamespacePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -170,6 +189,7 @@ }, "azureCognitiveSearchPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureCognitiveSearchPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -207,7 +227,7 @@ "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureFileprivateDnsZoneId')]" + "value": "[[parameters('azureFilePrivateDnsZoneId')]" }, "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json index 2a3388a5c4..20dc13e173 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -18,6 +18,7 @@ "parameters": { "azureFilePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureFilePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -26,6 +27,7 @@ }, "azureBatchPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureBatchPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -34,6 +36,7 @@ }, "azureAppPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAppPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -42,6 +45,7 @@ }, "azureAsrPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAsrPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -50,6 +54,7 @@ }, "azureIotPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureIotPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -58,6 +63,7 @@ }, "azureKeyVaultPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureKeyVaultPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -66,6 +72,7 @@ }, "azureSignalRPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureSignalRPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -74,6 +81,7 @@ }, "azureAppServicesPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAppServicesPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -82,6 +90,7 @@ }, "azureEventGridTopicsPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureEventGridTopicsPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -90,6 +99,7 @@ }, "azureDiskAccessPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureDiskAccessPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -98,6 +108,7 @@ }, "azureCognitiveServicesPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureCognitiveServicesPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -106,6 +117,7 @@ }, "azureIotHubsPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureIotHubsPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -114,6 +126,7 @@ }, "azureEventGridDomainsPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureEventGridDomainsPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -122,6 +135,7 @@ }, "azureRedisCachePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureRedisCachePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -130,6 +144,7 @@ }, "azureAcrPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureAcrPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -138,6 +153,7 @@ }, "azureEventHubNamespacePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureEventHubNamespacePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -146,6 +162,7 @@ }, "azureMachineLearningWorkspacePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -154,6 +171,7 @@ }, "azureServiceBusNamespacePrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureServiceBusNamespacePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -162,6 +180,7 @@ }, "azureCognitiveSearchPrivateDnsZoneId": { "type": "string", + "defaultValue": "", "metadata": { "displayName": "azureCognitiveSearchPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", @@ -199,7 +218,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureFileprivateDnsZoneId')]" + "value": "[[parameters('azureFilePrivateDnsZoneId')]" }, "effect": { "value": "[[parameters('effect')]" @@ -444,4 +463,4 @@ ], "policyDefinitionGroups": null } -} +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json index d6cffb1027..c039643697 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.1.0", + "version": "2.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -106,6 +106,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureDatabricksPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDatabricksPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureHDInsightPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -457,6 +466,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMachineLearningWorkspaceSecondPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureServiceBusNamespacePrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -475,6 +493,132 @@ "description": "Private DNS Zone Identifier" } }, + "azureBotServicePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureBotServicePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureManagedGrafanaWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureManagedGrafanaWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopHostpoolPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopHostpoolPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureVirtualDesktopWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureVirtualDesktopWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotDeviceupdatePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotDeviceupdatePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcGuestconfigurationPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcGuestconfigurationPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcHybridResourceProviderPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcHybridResourceProviderPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureArcKubernetesConfigurationPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureArcKubernetesConfigurationPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotCentralPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotCentralPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageTableSecondaryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageTableSecondaryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBackupPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBackupPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryBlobPrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryBlobPrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSiteRecoveryQueuePrivateDnsZoneID": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSiteRecoveryQueuePrivateDnsZoneID", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "effect": { "type": "string", "metadata": { @@ -506,7 +650,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureFileprivateDnsZoneId')]" + "value": "[[parameters('azureFilePrivateDnsZoneId')]" }, "effect": { "value": "[[parameters('effect')]" @@ -662,6 +806,38 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-UI-Api", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "databricks_ui_api" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-Browser-AuthN", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "browser_authentication" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", @@ -1144,6 +1320,9 @@ "privateDnsZoneId": { "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" }, + "secondPrivateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]" + }, "effect": { "value": "[[parameters('effect')]" } @@ -1175,8 +1354,146 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-BotService", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBotServicePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "connection" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "feed" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", + "parameters":{ + "privateDnsZoneIDForGuestConfiguration": { + "value": "[[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" + }, + "privateDnsZoneIDForHybridResourceProvider": { + "value": "[[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" + }, + "privateDnsZoneIDForKubernetesConfiguration": { + "value": "[[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTCentral", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6", + "parameters":{ + "privateDnsZoneId": { + "value": "[[parameters('azureIotCentralPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "parameters":{ + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTablePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "parameters":{ + "privateDnsZoneId": { + "value": "[[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", + "policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "parameters":{ + "privateDnsZone-Backup": { + "value": "[[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]" + }, + "privateDnsZone-Blob": { + "value": "[[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]" + }, + "privateDnsZone-Queue": { + "value": "[[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } } ], "policyDefinitionGroups": null } -} \ No newline at end of file +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json index a6e0fa8424..f14f8846f0 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json @@ -5,12 +5,14 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deploy SQL Database built-in SQL security configuration", - "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "displayName": "[Deprecated]: Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-Security_20240529", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", @@ -84,7 +86,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", "parameters": { "effect": { "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json new file mode 100644 index 0000000000..1d25ba58c3 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json @@ -0,0 +1,135 @@ +{ + "name": "Deploy-Sql-Security_20240529", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-Security", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json new file mode 100644 index 0000000000..5b87ebf75d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json @@ -0,0 +1,92 @@ +{ + "name": "Enforce-ACSB", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", + "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "includeArcMachines": { + "type": "String", + "allowedValues": [ + "true", + "false" + ], + "metadata": { + "displayName": "Include Arc connected servers", + "description": "By selecting this option, you agree to be charged monthly per Arc connected machine." + }, + "defaultValue": "true" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "GcIdentity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "GcLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "GcWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WinAcsb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LinAcsb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json new file mode 100644 index 0000000000..a2eaa786d5 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -0,0 +1,52 @@ +{ + "name": "Enforce-ALZ-Decomm", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Decommissioned Landing Zone", + "description": "Enforce policies in the Decommissioned Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Decommissioned", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "listOfResourceTypesAllowed":{ + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Allowed resource types in the Decommissioned landing zone", + "description": "Allowed resource types in the Decommissioned landing zone, default is none.", + "strongType": "resourceTypes" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DecomDenyResources", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('listOfResourceTypesAllowed')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DecomShutdownMachines", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } + } + \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json new file mode 100644 index 0000000000..93b5098aad --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json @@ -0,0 +1,84 @@ +{ + "name": "Enforce-ALZ-Sandbox", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Sandbox Landing Zone", + "description": "Enforce policies in the Sandbox Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Sandbox", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "listOfResourceTypesNotAllowed": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Not allowed resource types in the Sandbox landing zone", + "description": "Not allowed resource types in the Sandbox landing zone, default is none.", + "strongType": "resourceTypes" + } + }, + "effectNotAllowedResources": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectDenyVnetPeering": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SandboxNotAllowed", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "parameters": { + "effect": { + "value": "[[parameters('effectNotAllowedResources')]" + }, + "listOfResourceTypesNotAllowed": { + "value": "[[parameters('listOfResourceTypesNotAllowed')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SandboxDenyVnetPeering", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "parameters": { + "effect": { + "value": "[[parameters('effectDenyVnetPeering')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json new file mode 100644 index 0000000000..172ccc7467 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json @@ -0,0 +1,135 @@ +{ + "name": "Enforce-Backup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce enhanced recovery and backup policies", + "description": "Enforce enhanced recovery and backup policies on assigned scopes.", + "metadata": { + "version": "1.0.0", + "category": "Backup", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "checkLockedImmutabilityOnly": { + "type": "Boolean", + "metadata": { + "displayName": "checkLockedImmutabilityOnly", + "description": "This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "checkAlwaysOnSoftDeleteOnly": { + "type": "Boolean", + "metadata": { + "displayName": "CheckAlwaysOnSoftDeleteOnly", + "description": "This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "BackupBVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkLockedImmutabiltyOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-Immutability", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkLockedImmutabilityOnly": { + "value": "[[parameters('checkLockedImmutabilityOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupBVault-SoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-SoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "checkAlwaysOnSoftDeleteOnly": { + "value": "[[parameters('checkAlwaysOnSoftDeleteOnly')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupBVault-MUA", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BackupRVault-MUA", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json index cc32716d92..5b8e55e808 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json @@ -1,640 +1,643 @@ { - "name": "Enforce-EncryptTransit", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", - "metadata": { - "version": "1.0.0", - "category": "Encryption", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud", - "AzureChinaCloud", - "AzureUSGovernment" - ] - }, - "parameters": { - "AppServiceHttpEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", - "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." - } - }, - "AppServiceTlsVersionEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", - "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." - } - }, - "AppServiceminTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "App Service. Select version minimum TLS Web App config", - "description": "App Service. Select version minimum TLS version for a Web App config to enforce" - } - }, - "APIAppServiceLatestTlsEffect": { - "metadata": { - "displayName": "App Service API App. Latest TLS version should be used in your API App", - "description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ] - }, - "APIAppServiceHttpsEffect": { - "metadata": { - "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "FunctionLatestTlsEffect": { - "metadata": { - "displayName": "App Service Function App. Latest TLS version should be used in your Function App", - "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ] - }, - "FunctionServiceHttpsEffect": { - "metadata": { - "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "WebAppServiceLatestTlsEffect": { - "metadata": { - "displayName": "App Service Web App. Latest TLS version should be used in your Web App", - "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." - }, - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ] - }, - "WebAppServiceHttpsEffect": { - "metadata": { - "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", - "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "AKSIngressHttpsOnlyEffect": { - "metadata": { - "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", - "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." - }, - "type": "String", - "defaultValue": "deny", - "allowedValues": [ - "audit", - "deny", - "disabled" - ] - }, - "MySQLEnableSSLDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "MySQLEnableSSLEffect": { - "metadata": { - "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", - "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "MySQLminimalTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_0", - "TLS1_1", - "TLSEnforcementDisabled" - ], - "metadata": { - "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", - "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" - } - }, - "PostgreSQLEnableSSLDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "PostgreSQLEnableSSLEffect": { - "metadata": { - "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", - "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "PostgreSQLminimalTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_0", - "TLS1_1", - "TLSEnforcementDisabled" - ], - "metadata": { - "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", - "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" - } - }, - "RedisTLSDeployEffect": { - "type": "String", - "defaultValue": "Append", - "allowedValues": [ - "Append", - "Disabled" - ], - "metadata": { - "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", - "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "RedisMinTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", - "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" - } - }, - "RedisTLSEffect": { - "metadata": { - "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", - "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "SQLManagedInstanceTLSDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "SQLManagedInstanceMinTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", - "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" - } - }, - "SQLManagedInstanceTLSEffect": { - "metadata": { - "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ] - }, - "SQLServerTLSDeployEffect": { - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", - "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." - } - }, - "SQLServerminTlsVersion": { - "type": "String", - "defaultValue": "1.2", - "allowedValues": [ - "1.2", - "1.0", - "1.1" - ], - "metadata": { - "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", - "description": "Select version minimum TLS version for Azure SQL Database to enforce" - } - }, - "SQLServerTLSEffect": { - "metadata": { - "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled", - "Deny" + "name": "Enforce-EncryptTransit", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html", + "metadata": { + "version": "2.1.0-deprecated", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20240509", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" ] }, - "StorageDeployHttpsEnabledEffect": { - "metadata": { - "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" - }, - "type": "String", - "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ] - }, - "StorageminimumTlsVersion": { - "type": "String", - "defaultValue": "TLS1_2", - "allowedValues": [ - "TLS1_2", - "TLS1_1", - "TLS1_0" - ], - "metadata": { - "displayName": "Storage Account select minimum TLS version", - "description": "Select version minimum TLS version on Azure Storage Account to enforce" - } - }, - "StorageHttpsEnabledEffect": { - "metadata": { - "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", - "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "AppServiceHttpEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", - "parameters": { - "effect": { - "value": "[[parameters('AppServiceHttpEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AppServiceminTlsVersion", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", - "parameters": { - "effect": { - "value": "[[parameters('AppServiceTlsVersionEffect')]" - }, - "minTlsVersion": { - "value": "[[parameters('AppServiceminTlsVersion')]" + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", - "parameters": { - "effect": { - "value": "[[parameters('APIAppServiceLatestTlsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", - "parameters": { - "effect": { - "value": "[[parameters('FunctionLatestTlsEffect')]" + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", - "parameters": { - "effect": { - "value": "[[parameters('WebAppServiceLatestTlsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", - "parameters": { - "effect": { - "value": "[[parameters('APIAppServiceHttpsEffect')]" + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", - "parameters": { - "effect": { - "value": "[[parameters('FunctionServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", - "parameters": { - "effect": { - "value": "[[parameters('WebAppServiceHttpsEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", - "parameters": { - "effect": { - "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('MySQLEnableSSLDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('MySQLminimalTlsVersion')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", - "parameters": { - "effect": { - "value": "[[parameters('MySQLEnableSSLEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('MySQLminimalTlsVersion')]" + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLEnableSSLEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSDeployEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('RedisMinTlsVersion')]" + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisdisableNonSslPort", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSDeployEffect')]" + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "RedisDenyhttps", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", - "parameters": { - "effect": { - "value": "[[parameters('RedisTLSEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('RedisMinTlsVersion')]" + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLManagedInstanceTLSEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLServerTLSDeployEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLServerminTlsVersion')]" + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SQLServerTLSEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('SQLServerTLSEffect')]" - }, - "minimalTlsVersion": { - "value": "[[parameters('SQLServerminTlsVersion')]" + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", - "parameters": { - "effect": { - "value": "[[parameters('StorageHttpsEnabledEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('StorageMinimumTlsVersion')]" + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" } }, - "groupNames": [] + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } }, - { - "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", - "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", - "parameters": { - "effect": { - "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" - }, - "minimumTlsVersion": { - "value": "[[parameters('StorageMinimumTlsVersion')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } -} + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } + } \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json new file mode 100644 index 0000000000..1d96c3c4ba --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -0,0 +1,937 @@ +{ + "name": "Enforce-EncryptTransit_20240509", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppTlsEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('LogicAppTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('logicAppHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", + "policyDefinitionReferenceId": "Deny-EH-minTLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubMinTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json index 01a59746b1..bd78dc311b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -158,9 +158,10 @@ }, "SqlServerTDECMKEffect": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Audit", "allowedValues": [ - "AuditIfNotExists", + "Audit", + "Deny", "Disabled" ], "metadata": { @@ -307,7 +308,7 @@ }, { "policyDefinitionReferenceId": "SqlServerTDECMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", "parameters": { "effect": { "value": "[[parameters('SqlServerTDECMKEffect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json index 35aea190b1..7d01c56121 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -134,9 +134,10 @@ }, "SqlServerTDECMKEffect": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Audit", "allowedValues": [ - "AuditIfNotExists", + "Audit", + "Deny", "Disabled" ], "metadata": { @@ -263,7 +264,7 @@ }, { "policyDefinitionReferenceId": "SqlServerTDECMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", "parameters": { "effect": { "value": "[[parameters('SqlServerTDECMKEffect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json index a57299cee1..4bd606e7d2 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json @@ -1,363 +1,628 @@ { - "name": "Enforce-Encryption-CMK", - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", - "scope": null, - "properties": { - "policyType": "Custom", - "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "metadata": { - "version": "1.0.1", - "category": "Encryption", - "source": "https://github.com/Azure/Enterprise-Scale/", - "alzCloudEnvironments": [ - "AzureCloud" - ] - }, - "parameters": { - "ACRCmkEffect": { + "name": "Enforce-Encryption-CMK", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", - "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + "version": "3.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "AksCmkEffect": { - "metadata": { - "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", - "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." - }, - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ] - }, - "WorkspaceCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", - "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." - } - }, - "CognitiveServicesCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", - "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." - } - }, - "CosmosCMKEffect": { - "type": "String", - "defaultValue": "audit", - "allowedValues": [ - "audit", - "deny", - "disabled" - ], - "metadata": { - "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", - "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." - } - }, - "DataBoxCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", - "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." - } - }, - "StreamAnalyticsCMKEffect": { - "type": "String", - "defaultValue": "audit", - "allowedValues": [ - "audit", - "deny", - "disabled" - ], - "metadata": { - "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", - "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." - } - }, - "SynapseWorkspaceCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", - "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." - } - }, - "StorageCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Disabled" - ], - "metadata": { - "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", - "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." - } - }, - "MySQLCMKEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure MySQL servers bring your own key data protection should be enabled", - "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." - } - }, - "PostgreSQLCMKEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", - "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." - } - }, - "SqlServerTDECMKEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", - "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." - } - }, - "HealthcareAPIsCMKEffect": { - "type": "String", - "defaultValue": "audit", - "allowedValues": [ - "audit", - "disabled" - ], - "metadata": { - "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", - "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." - } - }, - "AzureBatchCMKEffect": { - "type": "String", - "defaultValue": "Audit", - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "metadata": { - "displayName": "Azure Batch account should use customer-managed keys to encrypt data", - "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." - } - }, - "EncryptedVMDisksEffect": { - "type": "String", - "defaultValue": "AuditIfNotExists", - "allowedValues": [ - "AuditIfNotExists", - "Disabled" - ], - "metadata": { - "displayName": "Disk encryption should be applied on virtual machines", - "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." - } - } - }, - "policyDefinitions": [ - { - "policyDefinitionReferenceId": "ACRCmkDeny", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", "parameters": { - "effect": { - "value": "[[parameters('ACRCmkEffect')]" - } + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + }, + "AutomationAccountCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "BackupCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "eventHubPremiumCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDenyCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageTableCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageQueueCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AksCmkDeny", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", - "parameters": { - "effect": { - "value": "[[parameters('AksCmkEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "WorkspaceCMK", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", - "parameters": { - "effect": { - "value": "[[parameters('WorkspaceCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "CognitiveServicesCMK", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", - "parameters": { - "effect": { - "value": "[[parameters('CognitiveServicesCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "CosmosCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", - "parameters": { - "effect": { - "value": "[[parameters('CosmosCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "DataBoxCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", - "parameters": { - "effect": { - "value": "[[parameters('DataBoxCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", - "parameters": { - "effect": { - "value": "[[parameters('StreamAnalyticsCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", - "parameters": { - "effect": { - "value": "[[parameters('SynapseWorkspaceCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "StorageCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", - "parameters": { - "effect": { - "value": "[[parameters('StorageCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "MySQLCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", - "parameters": { - "effect": { - "value": "[[parameters('MySQLCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "PostgreSQLCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", - "parameters": { - "effect": { - "value": "[[parameters('PostgreSQLCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "SqlServerTDECMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", - "parameters": { - "effect": { - "value": "[[parameters('SqlServerTDECMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", - "parameters": { - "effect": { - "value": "[[parameters('HealthcareAPIsCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "AzureBatchCMKEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", - "parameters": { - "effect": { - "value": "[[parameters('AzureBatchCMKEffect')]" - } - }, - "groupNames": [] - }, - { - "policyDefinitionReferenceId": "EncryptedVMDisksEffect", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", - "parameters": { - "effect": { - "value": "[[parameters('EncryptedVMDisksEffect')]" - } - }, - "groupNames": [] - } - ], - "policyDefinitionGroups": null - } -} + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('AutomationAccountCmkEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('BackupCmkEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", + "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('osAndDataDiskCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", + "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubPremiumCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", + "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageTableCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsEncryptionCmk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageQueueCmk')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json new file mode 100644 index 0000000000..a995c1ad8a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json @@ -0,0 +1,234 @@ +{ + "name": "Enforce-Guardrails-APIM", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for API Management", + "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "API Management", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "apiSubscriptionScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "minimumApiVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSkuVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "apimApiBackendCertValidation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimDirectApiEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimCallApiAuthn": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimEncryptedProtocols": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimVnetUsage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimSecrets": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "apimTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "policyDefinitionReferenceId": "Deny-Apim-without-Kv", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimSecrets')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimVnetUsage')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS", + "policyDefinitionReferenceId": "Deny-APIM-TLS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "policyDefinitionReferenceId": "Deny-Apim-Protocols", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimEncryptedProtocols')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "policyDefinitionReferenceId": "Deny-Apim-Authn", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimCallApiAuthn')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimDirectApiEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimApiBackendCertValidation')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2", + "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimDisablePublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5", + "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apimSkuVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "policyDefinitionReferenceId": "Deny-Apim-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('minimumApiVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "policyDefinitionReferenceId": "Deny-Api-subscription-scope", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('apiSubscriptionScope')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json new file mode 100644 index 0000000000..d3e06a85f5 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json @@ -0,0 +1,367 @@ +{ + "name": "Enforce-Guardrails-AppServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for App Service", + "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "functionAppDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceDisableLocalAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceSkuPl": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceDisableLocalAuthFtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceScmAuth": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsRfc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsVnetRouting": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceEnvLatestVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsRemoteDebugging": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceByoc": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppSlotsModifyHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppHttps": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "functionAppSlotsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppsModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "appServiceAppModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC", + "policyDefinitionReferenceId": "Deny-AppService-Byoc", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceByoc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", + "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceEnvLatestVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", + "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsVnetRouting')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", + "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", + "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsRfc')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", + "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", + "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceScmAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", + "policyDefinitionReferenceId": "Deny-AppServ-Routing", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceRouting')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", + "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuthFtp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5", + "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceSkuPl')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", + "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", + "policyDefinitionReferenceId": "DINE-AppService-Debugging", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppDebugging')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63", + "policyDefinitionReferenceId": "Modify-AppService-Https", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", + "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", + "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", + "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json new file mode 100644 index 0000000000..3bcb0f4344 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json @@ -0,0 +1,137 @@ +{ + "name": "Enforce-Guardrails-Automation", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Automation Account", + "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aaModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "aaVariablesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaManagedIdentity": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "autoHotPatch": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "aaModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", + "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('autoHotPatch')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", + "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", + "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaVariablesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", + "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyLocalAUth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", + "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aaModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json new file mode 100644 index 0000000000..ec6838b8d6 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-CognitiveServices", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cognitive Services", + "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveSearchSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyCognitiveSearchLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyCognitiveSearchPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", + "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchSku')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91", + "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveSearchLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75", + "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30", + "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyCognitiveSearchPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json new file mode 100644 index 0000000000..2d447658fd --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-Compute", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Compute", + "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "diskDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vmAndVmssEncryptionHost": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vmAndVmssEncryptionHost')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('diskDoubleEncryption')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json new file mode 100644 index 0000000000..55ab33e46a --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json @@ -0,0 +1,64 @@ +{ + "name": "Enforce-Guardrails-ContainerApps", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Apps", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Apps", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerAppsManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerAppsVnetInjection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", + "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsVnetInjection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", + "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerAppsManagedIdentity')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json new file mode 100644 index 0000000000..22357be82d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json @@ -0,0 +1,45 @@ +{ + "name": "Enforce-Guardrails-ContainerInstance", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Instance", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Instances", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerInstanceVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", + "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerInstanceVnet')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json new file mode 100644 index 0000000000..a21e7bdc53 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json @@ -0,0 +1,249 @@ +{ + "name": "Enforce-Guardrails-ContainerRegistry", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Container Registry", + "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Container Registry", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "containerRegistryUnrestrictedNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryRepositoryToken": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyRepositoryToken": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryExports": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryAnAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyAnAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistrySkuPrivateLink": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryArmAudience": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerRegistryModifyArmAudience": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "containerRegistryModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyArmAudience')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistrySkuPrivateLink')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryAnAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryExports')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryRepositoryToken')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryUnrestrictedNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", + "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('containerRegistryModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json new file mode 100644 index 0000000000..78b5883aab --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json @@ -0,0 +1,124 @@ +{ + "name": "Enforce-Guardrails-CosmosDb", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Cosmos DB", + "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cosmos DB", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cosmosDbLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cosmosDbAtp": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "cosmosDbModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cosmosDbModifyPublicAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", + "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbAtp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", + "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cosmosDbModifyPublicAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json new file mode 100644 index 0000000000..63dc68ab6d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-DataExplorer", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Explorer", + "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Azure Data Explorer", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adxEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxSku": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", + "policyDefinitionReferenceId": "Deny-ADX-Sku-without-PL-Support", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxSku')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", + "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "policyDefinitionReferenceId": "Deny-ADX-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", + "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adxModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json new file mode 100644 index 0000000000..1e4ccb20de --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json @@ -0,0 +1,120 @@ +{ + "name": "Enforce-Guardrails-DataFactory", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Data Factory", + "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Data Factory", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "adfSqlIntegration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfLinkedServiceKeyVault": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfGit": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", + "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", + "policyDefinitionReferenceId": "Deny-Adf-Git", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfGit')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", + "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfLinkedServiceKeyVault')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", + "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfSqlIntegration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", + "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('adfModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json new file mode 100644 index 0000000000..e664afc6e7 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json @@ -0,0 +1,173 @@ +{ + "name": "Enforce-Guardrails-EventGrid", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Grid", + "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Grid", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventGridLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridPartnerNamespaceModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventGridTopicModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridDomainModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventGridTopicModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", + "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", + "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", + "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridPartnerNamespaceLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", + "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", + "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridDomainModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", + "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventGridTopicModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json new file mode 100644 index 0000000000..feaf0a1baf --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-EventHub", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Event Hub", + "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Event Hub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "eventHubAuthRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "eventHubNamespacesDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", + "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", + "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", + "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubNamespacesLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", + "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubAuthRules')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json new file mode 100644 index 0000000000..3c68197a8e --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-KeyVault-Sup", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce additional recommended guardrails for Key Vault", + "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "keyVaultManagedHsmDisablePublicNetworkModify": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "keyVaultModifyFw": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456", + "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", + "policyDefinitionReferenceId": "Modify-KV-Fw", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultModifyFw')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json new file mode 100644 index 0000000000..04f79c6d6c --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json @@ -0,0 +1,795 @@ +{ + "name": "Enforce-Guardrails-KeyVault", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Azure Key Vault", + "description": "Enforce recommended guardrails for Azure Key Vault.", + "metadata": { + "version": "2.1.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effectKvSoftDelete": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvPurgeProtection": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvSecretsExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvKeysExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvFirewallEnabled": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvCertLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ], + "defaultValue": "Audit" + }, + "maximumCertLifePercentageLife": { + "type": "Integer", + "metadata": { + "displayName": "The maximum lifetime percentage", + "description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'." + }, + "defaultValue": 80 + }, + "minimumCertLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvKeysLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumKeysLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvSecretsLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumSecretsLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "keyVaultCheckMinimumRSACertificateSize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultMinimumRSACertificateSizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultManagedHsmCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultManagedHsmMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultCheckMinimumRSAKeySize": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultMinimumRSAKeySizeValue": { + "type": "integer", + "defaultValue": 2048, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "keyVaultArmRbac": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsPurgeProtection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultCertificatesPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCertValidPeriod": { + "type": "integer", + "defaultValue": 12 + }, + "keyVaultHmsKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidPeriod": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsValidPeriod": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsValidityInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultCertKeyTypes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultEllipticCurve": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCryptographicType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keysActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "keysCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "secretsActiveInDays": { + "type": "integer", + "defaultValue": 90 + }, + "secretsActive": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultSecretContentType": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultNonIntegratedCa": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultNonIntegratedCaValue": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "The common name of the certificate authority", + "description": "The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso" + } + }, + "keyVaultIntegratedCa": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultIntegratedCaValue": { + "type": "array", + "defaultValue": [ + "DigiCert", + "GlobalSign" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHsmMinimumDaysBeforeExpirationValue": { + "type": "integer", + "defaultValue": 90 + }, + "keyVaultHmsCurveNames": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "keyVaultHmsCurveNamesValue": { + "type": "array", + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue": { + "type": "integer", + "defaultValue": 90 + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "KvSoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSoftDelete')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvPurgeProtection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "parameters": { + "effect": { + "value": "[[parameters('effectKvPurgeProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvFirewallEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('effectKvFirewallEnabled')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvCertLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417", + "parameters": { + "effect": { + "value": "[[parameters('effectKvCertLifetime')]" + }, + "maximumPercentageLife": { + "value": "[[parameters('maximumCertLifePercentageLife')]" + }, + "minimumDaysBeforeExpiry": { + "value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSACertificateSize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSACertificateSizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57", + "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCheckMinimumRSAKeySize')]" + }, + "minimumRSAKeySize": { + "value": "[[parameters('keyVaultMinimumRSAKeySizeValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultArmRbac')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsPurgeProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", + "policyDefinitionReferenceId": "Deny-KV-Cert-Period", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificatesPeriod')]" + }, + "maximumValidityInMonths": { + "value": "[[parameters('keyVaultCertValidPeriod')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", + "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsKeysExpiration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", + "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", + "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('secretsValidPeriod')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsValidityInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", + "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertKeyTypes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", + "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultEllipticCurve')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", + "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCryptographicType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", + "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('keysActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keysCurveNames')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", + "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('secretsActive')]" + }, + "maximumValidityInDays": { + "value": "[[parameters('secretsActiveInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3", + "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultSecretContentType')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341", + "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultNonIntegratedCa')]" + }, + "caCommonName": { + "value": "[[parameters('keyVaultNonIntegratedCaValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82", + "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultIntegratedCa')]" + }, + "allowedCAs": { + "value": "[[parameters('keyVaultIntegratedCaValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", + "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", + "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultHmsCurveNames')]" + }, + "allowedECNames": { + "value": "[[parameters('keyVaultHmsCurveNamesValue')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", + "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]" + }, + "daysToExpire": { + "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json new file mode 100644 index 0000000000..08a03e892d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json @@ -0,0 +1,344 @@ +{ + "name": "Enforce-Guardrails-Kubernetes", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Kubernetes", + "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.1.0", + "category": "Kubernetes", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "aksKms": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksCni": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "aksLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivateCluster": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPolicy": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksCommandInvoke": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "aksReadinessOrLivenessProbes": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksPrivContainers": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "aksPrivEscalation": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "aksAllowedCapabilities": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "aksTempDisk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksInternalLb": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "aksDefaultNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "aksNakedPods": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "aksShareHostProcessAndNamespace": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ] + }, + "aksWindowsContainerAdministrator": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", + "policyDefinitionReferenceId": "Deny-Aks-Windows-Container-Administrator", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksWindowsContainerAdministrator')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksShareHostProcessAndNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", + "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksNakedPods')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksDefaultNamespace')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", + "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksInternalLb')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", + "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksTempDisk')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", + "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksAllowedCapabilities')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivEscalation')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivContainers')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksReadinessOrLivenessProbes')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", + "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksCommandInvoke')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "policyDefinitionReferenceId": "Dine-Aks-Policy", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPolicy')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksPrivateCluster')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", + "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008", + "policyDefinitionReferenceId": "Deny-Aks-Kms", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksKms')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67", + "policyDefinitionReferenceId": "Deny-Aks-Cni", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('aksCni')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json new file mode 100644 index 0000000000..74d25941c1 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json @@ -0,0 +1,118 @@ +{ + "name": "Enforce-Guardrails-MachineLearning", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Machine Learning", + "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mlUserAssignedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "mlLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlOutdatedOS": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "groupNames": [], + "parameters": { + "effects": { + "value": "[[parameters('mlOutdatedOS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", + "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", + "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlUserAssignedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", + "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mlModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json new file mode 100644 index 0000000000..ce2b30161f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json @@ -0,0 +1,63 @@ +{ + "name": "Enforce-Guardrails-MySQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for MySQL", + "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "MySQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "mySqlInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mySqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", + "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlAdvThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", + "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('mySqlInfraEncryption')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json new file mode 100644 index 0000000000..bec7c6d07e --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -0,0 +1,529 @@ +{ + "name": "Enforce-Guardrails-Network", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Network and Networking services", + "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "subnetUdr": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetNsg": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "subnetServiceEndpoint": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwWaf": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vnetModifyDdos": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Audit", + "Modify", + "Disabled" + ] + }, + "ddosPlanResourceId": { + "type": "string", + "defaultValue": "" + }, + "wafMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "wafFwRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGw": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafModeAppGwRequirement": { + "type": "string", + "defaultValue": "Prevention" + }, + "denyMgmtFromInternet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "denyMgmtFromInternetPorts": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + }, + "afwEnbaleTlsForAllAppRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableTlsInspection": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEmptyIDPSBypassList": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableAllIDPSSignatureRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "afwEnableIDPS": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "wafAfdEnabled": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "vpnAzureAD": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appGwTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyUdr": { + "type": "string", + "defaultValue": "Disabled" + }, + "modifyUdrNextHopIpAddress": { + "type": "string", + "defaultValue": "" + }, + "modifyUdrNextHopType": { + "type": "string", + "defaultValue": "None" + }, + "modifyUdrAddressPrefix": { + "type": "string", + "defaultValue": "0.0.0.0/0" + }, + "modifyNsg": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyNsgRuleName": { + "type": "string", + "defaultValue": "DenyAnyInternetOutbound" + }, + "modifyNsgRulePriority": { + "type": "integer", + "defaultValue": 1000 + }, + "modifyNsgRuleDirection": { + "type": "string", + "defaultValue": "Outbound" + }, + "modifyNsgRuleAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Allow", + "Deny" + ] + }, + "modifyNsgRuleProtocol": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourceAddressPrefix": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleSourcePortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDestinationAddressPrefix": { + "type": "string", + "defaultValue": "Internet" + }, + "modifyNsgRuleDestinationPortRange": { + "type": "string", + "defaultValue": "*" + }, + "modifyNsgRuleDescription": { + "type": "string", + "defaultValue": "Deny any outbound traffic to the Internet" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", + "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", + "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vpnAzureAD')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafAfdEnabled')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", + "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableIDPS')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", + "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableAllIDPSSignatureRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", + "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEmptyIDPSBypassList')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", + "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnableTlsInspection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", + "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('afwEnbaleTlsForAllAppRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafModeAppGw')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeAppGwRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", + "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "policyDefinitionReferenceId": "Deny-Waf-mode", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('wafMode')]" + }, + "modeRequirement": { + "value": "[[parameters('wafModeRequirement')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('vnetModifyDdos')]" + }, + "ddosPlan": { + "value": "[[parameters('ddosPlanResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyDefinitionReferenceId": "Deny-vNic-Pip", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appGwWaf')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetUdr')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetNsg')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", + "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('subnetServiceEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('denyMgmtFromInternet')]" + }, + "ports": { + "value": "[[parameters('denyMgmtFromInternetPorts')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", + "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appGwTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", + "policyDefinitionReferenceId": "Modify-Udr", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyUdr')]" + }, + "nextHopIpAddress": { + "value": "[[parameters('modifyUdrNextHopIpAddress')]" + }, + "nextHopType": { + "value": "[[parameters('modifyUdrNextHopType')]" + }, + "addressPrefix": { + "value": "[[parameters('modifyUdrAddressPrefix')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", + "policyDefinitionReferenceId": "Modify-Nsg", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyNsg')]" + }, + "nsgRuleName": { + "value": "[[parameters('modifyNsgRuleName')]" + }, + "nsgRulePriority": { + "value": "[[parameters('modifyNsgRulePriority')]" + }, + "nsgRuleDirection": { + "value": "[[parameters('modifyNsgRuleDirection')]" + }, + "nsgRuleAccess": { + "value": "[[parameters('modifyNsgRuleAccess')]" + }, + "nsgRuleProtocol": { + "value": "[[parameters('modifyNsgRuleProtocol')]" + }, + "nsgRuleSourceAddressPrefix": { + "value": "[[parameters('modifyNsgRuleSourceAddressPrefix')]" + }, + "nsgRuleSourcePortRange": { + "value": "[[parameters('modifyNsgRuleSourcePortRange')]" + }, + "nsgRuleDestinationAddressPrefix": { + "value": "[[parameters('modifyNsgRuleDestinationAddressPrefix')]" + }, + "nsgRuleDestinationPortRange": { + "value": "[[parameters('modifyNsgRuleDestinationPortRange')]" + }, + "nsgRuleDescription": { + "value": "[[parameters('modifyNsgRuleDescription')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json new file mode 100644 index 0000000000..06d322be64 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json @@ -0,0 +1,139 @@ +{ + "name": "Enforce-Guardrails-OpenAI", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", + "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Cognitive Services", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "cognitiveServicesOutboundNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesNetworkAcls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "cognitiveServicesDisableLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess", + "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls", + "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesNetworkAcls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesManagedIdentity')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesDisableLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesCustomerStorage')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json new file mode 100644 index 0000000000..484292f11d --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json @@ -0,0 +1,44 @@ +{ + "name": "Enforce-Guardrails-PostgreSQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for PostgreSQL", + "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "postgreSqlAdvThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", + "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('postgreSqlAdvThreatProtection')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json new file mode 100644 index 0000000000..5fb82b190f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json @@ -0,0 +1,106 @@ +{ + "name": "Enforce-Guardrails-SQL", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", + "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "sqlManagedAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlAadOnly": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "modifySqlPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", + "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlAadOnly')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedAadOnly')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", + "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", + "groupNames": [], + "parameters": {} + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", + "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifySqlPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json new file mode 100644 index 0000000000..79b30ef808 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json @@ -0,0 +1,101 @@ +{ + "name": "Enforce-Guardrails-ServiceBus", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Service Bus", + "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Service Bus", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "serviceBusModifyDisableLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "serviceBusDenyDisabledLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusAuthzRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusAuthzRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", + "policyDefinitionReferenceId": "Deny-Sb-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af", + "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusDenyDisabledLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e", + "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('serviceBusModifyDisableLocalAuth')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json new file mode 100644 index 0000000000..c5abdeee28 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -0,0 +1,463 @@ +{ + "name": "Enforce-Guardrails-Storage", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Storage Account", + "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "storageKeysExpiration": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountRestrictNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageThreatProtection": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "storageClassicToArm": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsInfraEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountSharedKey": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCrossTenant": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsDoubleEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsCopyScope": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsAllowedCopyScope": { + "type": "string", + "defaultValue": "AAD" + }, + "storageServicesEncryption": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageLocalUser": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageSftp": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsBypass": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAllowedNetworkAclsBypass": { + "type": "array", + "defaultValue": [ + "None" + ] + }, + "storageResourceAccessRulesTenantId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageResourceAccessRulesResourceId": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageNetworkAclsVirtualNetworkRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageContainerDeleteRetentionPolicy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageMinContainerDeleteRetentionInDays": { + "type": "Integer", + "defaultValue": 7 + }, + "storageCorsRules": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "modifyStorageFileSyncPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "modifyStorageAccountPublicEndpoint": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "storageAccountsModifyDisablePublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", + "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCopyScope')]" + }, + "allowedCopyScope": { + "value": "[[parameters('storageAccountsAllowedCopyScope')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", + "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageServicesEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", + "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageLocalUser')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP", + "policyDefinitionReferenceId": "Deny-Storage-SFTP", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageSftp')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsBypass')]" + }, + "allowedBypassOptions": { + "value": "[[parameters('storageAllowedNetworkAclsBypass')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesTenantId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", + "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageResourceAccessRulesResourceId')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", + "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", + "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageContainerDeleteRetentionPolicy')]" + }, + "minContainerDeleteRetentionInDays": { + "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", + "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageCorsRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", + "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsDoubleEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", + "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsCrossTenant')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountSharedKey')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", + "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsInfraEncryption')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", + "policyDefinitionReferenceId": "Deny-Storage-Classic", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageClassicToArm')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", + "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageThreatProtection')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountRestrictNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountNetworkRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageKeysExpiration')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", + "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", + "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('modifyStorageAccountPublicEndpoint')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", + "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json new file mode 100644 index 0000000000..a0b73748a5 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json @@ -0,0 +1,201 @@ +{ + "name": "Enforce-Guardrails-Synapse", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Synapse workspaces", + "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.1.0", + "category": "Synapse", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "synapseLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseManagedVnet": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseDataTraffic": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTenants": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseAllowedTenantIds": { + "type": "array", + "defaultValue": [ + "[[subscription().tenantId]" + ] + }, + "synapseFwRules": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "synapseModifyLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseDefender": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "synapseModifyTlsVersion": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "synapseModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", + "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseDefender')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", + "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8", + "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseFwRules')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", + "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseTenants')]" + }, + "allowedTenantIds": { + "value": "[[parameters('synapseAllowedTenantIds')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", + "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseDataTraffic')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", + "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseManagedVnet')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseLocalAuth')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", + "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", + "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json new file mode 100644 index 0000000000..33564dda5f --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json @@ -0,0 +1,62 @@ +{ + "name": "Enforce-Guardrails-VirtualDesktop", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Virtual Desktop", + "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Desktop Virtualization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "avdWorkspaceModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, + "avdHostPoolModifyPublicNetworkAccess": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", + "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdWorkspaceModifyPublicNetworkAccess')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", + "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('avdHostPoolModifyPublicNetworkAccess')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/roleDefinitions/OssDb-Owners.json b/src/resources/Microsoft.Authorization/roleDefinitions/OssDb-Owners.json new file mode 100644 index 0000000000..b9403ca77d --- /dev/null +++ b/src/resources/Microsoft.Authorization/roleDefinitions/OssDb-Owners.json @@ -0,0 +1,29 @@ +{ + "name": "6fca939a-1b08-420b-affd-3d3061ecceb2", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "properties": { + "roleName": "OssDb-Owners", + "description": "Platform-wide Open Source Database Owners: PostgreSQL, MySql", + "type": "customRole", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.DBforMySQL/*", + "Microsoft.DBforPostgreSQL/*", + "Microsoft.DBforMariaDB/*" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/contoso" + ] + } +} \ No newline at end of file diff --git a/src/scripts/Set-RBACAmaPolicyAssignment.ps1 b/src/scripts/Set-RBACAmaPolicyAssignment.ps1 new file mode 100644 index 0000000000..564456a9a0 --- /dev/null +++ b/src/scripts/Set-RBACAmaPolicyAssignment.ps1 @@ -0,0 +1,79 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Assigns 'Reader' role permissions on Platform MG to the identities (Deploy-vmHybr-Monitoring, Deploy-VM-Monitoring, Deploy-VMSS-Monitoring, +# Deploy-vmArc-ChangeTrack, Deploy-VM-ChangeTrack, Deploy-VMSS-ChangeTrack) configured on the Landing Zones MG +# - Assigns 'Managed Identity Operator' on both Platform and Landing Zones MGs to the "Enable-AUM-CheckUpdates" identity +# + +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'enterpriseScaleCompanyPrefix', Justification = 'False positive as rule does not know that Where-Object operates within the same scope')] + +[CmdletBinding(SupportsShouldProcess)] +param( + # the pseudo managemnt group to start from + [Parameter(Mandatory = $True, + ValueFromPipeline = $false)] + [string]$enterpriseScaleCompanyPrefix +) + +process { + $vmiCtIdentityList = "Deploy-vmHybr-Monitoring", "Deploy-VM-Monitoring", "Deploy-VMSS-Monitoring", "Deploy-vmArc-ChangeTrack", "Deploy-VM-ChangeTrack", "Deploy-VMSS-ChangeTrack" + $aumIdentityList = "Enable-AUM-CheckUpdates" + + If (-NOT(Get-Module -ListAvailable Az.Resources)) { + Write-Output "This script requires the Az.Resources module." + + $response = Read-Host "Would you like to install the 'Az.Resources' module now? (y/n)" + If ($response -match '[yY]') { Install-Module Az.Resources -Scope CurrentUser } + } + + Write-Output "Retrieving Platform and Landing Zones management groups ..." + + # getting Platform and Landing Zones mgs + $platformMg = Get-AzManagementGroup | Where-Object { $_.Name -like "$enterpriseScaleCompanyPrefix*-platform" } -ErrorAction SilentlyContinue + $landingZonesMg = Get-AzManagementGroup | Where-Object { $_.Name -like "$enterpriseScaleCompanyPrefix*-landingzones" } -ErrorAction SilentlyContinue + + if ($platformMg -and $landingZonesMg) { + # getting role assignments for both Platform and landing Zones mgs + Write-Output "`tRetrieving role assignments on Platform management group ..." + $platformMgAumRoleAssignments = Get-AzRoleAssignment -Scope $($platformMg.Id) | where-object { $_.Displayname -in $aumIdentityList } | Sort-Object -Property ObjectId -Unique + + Write-Output "`tRetrieving role assignments on Landing Zones management group ..." + $landingZonesMgAumRoleAssignments = Get-AzRoleAssignment -Scope $($landingZonesMg.Id) | where-object { $_.Displayname -in $aumIdentityList } | Sort-Object -Property ObjectId -Unique + $landingZonesMgVmiCtRoleAssignments = Get-AzRoleAssignment -Scope $($landingZonesMg.Id) | where-object { $_.Displayname -in $vmiCtIdentityList } | Sort-Object -Property ObjectId -Unique + # Performing role assignments + if ($landingZonesMgVmiCtRoleAssignments) { + # assigning Reader role for VMI and CT Managed Identities from LandingZones to Platform mg + Write-Output "`t`tAssigning 'Reader' role for 'VMInsights' and 'Change Tracking' Managed Identities from Landing Zones to Platform management group ..." + $landingZonesMgVmiCtRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Reader' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Landing Zones management group for the given 'VMInsights' and 'Change Tracking' Managed Identities." + } + + if ($landingZonesMgAumRoleAssignments) { + # assigning Managed Identity Operator to Azure Update Manager Managed Identity on Landing Zones mg + Write-Output "`t`tAssigning 'Managed Identity Operator' role to 'Azure Update Manager' Managed Identity on Landing Zones management group ..." + $landingZonesMgAumRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($landingZonesMg.Id) -RoleDefinitionName 'Managed Identity Operator' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Landing Zones management group for the given 'Azure Update Manger' Managed Identities." + } + + if ($platformMgAumRoleAssignments) { + # assigning Managed Identity Operator to Azure Update Manager Managed Identity on Platform mg + Write-Output "`t`tAssigning 'Managed Identity Operator' role to 'Azure Update Manager' Managed Identity on Platform management group ..." + $platformMgAumRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Managed Identity Operator' -ObjectId $_.ObjectId-ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Platform management group for the given 'Azure Update Manger' Managed Identity." + } + } + else { + Write-Output "`tOne or more management group of type 'Platform' and 'Landing Zones' was not found. Make sure you have the necessary permissions and/or that the hierachy is Azure Landing Zones aligned." + } +} +End { + Write-Output "Script execution completed." +} \ No newline at end of file diff --git a/src/scripts/Update-AzureLandingZonesToAMA.ps1 b/src/scripts/Update-AzureLandingZonesToAMA.ps1 new file mode 100644 index 0000000000..bf32a701d3 --- /dev/null +++ b/src/scripts/Update-AzureLandingZonesToAMA.ps1 @@ -0,0 +1,938 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: + +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +<# + .SYNOPSIS + Updates Azure Landing Zones to use AMA. + + .DESCRIPTION + The Update-AzureLandingZonesToAMA command performs the following tasks: + - Deploys User Assigned Managed Identity. + - Deploys VMInsights, ChangeTracking, and MDFC Defender for SQL. + - Updates Policy Definitions. + - Removes legacy Policy Assignments. + - Removes legacy solutions. + - Assigns new Policies and Initiatives. + - Updates Managed Identity roles. + - Creates Policy Remediation tasks. + + .PARAMETER location + Required. Specifies the deployment location. + + .PARAMETER eslzRoot + Required. Specifies the intermediate root management group name of the enterprise-scale landing zones environment. + + .PARAMETER managementResourceGroupName + Required. Specifies the name of the management resource group. + + .PARAMETER workspaceResourceId + Required. Specifies the resource ID of the Log Analytics Workspace. + + .PARAMETER workspaceRegion + Required. Specifies the region of the Log Analytics Workspace. + + .PARAMETER DeployUserAssignedManagedIdentity + Specifies whether to deploy the User Assigned Managed Identity. + + .PARAMETER DeployVMInsights + Specifies whether to deploy VMInsights. + + .PARAMETER DeployChangeTracking + Specifies whether to deploy ChangeTracking. + + .PARAMETER DeployMDfCDefenderSQL + Specifies whether to deploy MDFC Defender for SQL. + + .PARAMETER DeployAzureUpdateManager + Specifies whether to deploy Azure Update Manager. + + .PARAMETER RemediatePolicies + Specifies whether to remediate policies. + + .PARAMETER RemoveLegacyPolicyAssignments + Specifies whether to remove legacy policy assignments. + + .PARAMETER RemoveLegacySolutions + Specifies whether to remove legacy solutions. + + .PARAMETER UpdatePolicyDefinitions + Specifies whether to update policy definitions. + + .PARAMETER RemoveObsoleteUAMI + Specifies whether to remove obsolete User Assigned Managed Identities. + + .EXAMPLE + .\src\scripts\Update-AzureLandingZonesToAMA.ps1 -migrationPath MMAToAMA -location "northeurope" -eslzRoot "contoso" -managementResourceGroupName "contoso-mgmt" -workspaceResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" -workspaceRegion "northeurope" -DeployUserAssignedManagedIdentity -DeployVMInsights -DeployChangeTracking -DeployMDfCDefenderSQL -DeployAzureUpdateManager -RemoveLegacyPolicyAssignments -RemoveLegacySolutions -UpdatePolicyDefinitions + + .LINK + https://github.com/Azure/Enterprise-Scale +#> + +# The following SuppressMessageAttribute entries are used to surpress PSScriptAnalyzer tests against known exceptions as per: +# https://github.com/powershell/psscriptanalyzer#suppressing-rules +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '', Justification = 'False positive')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification = 'Write-Host is used for console output')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'Variable names are plural for consistency')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '', Justification = 'Approved verbs are not available for this scenario')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification = 'False positive')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '', Scope = 'Function', Target = '*-Policy*', Justification = 'ShouldProcess not required for these functions')] + +#Requires -Modules Az.Resources, Az.Accounts, Az.MonitoringSolutions, Az.ResourceGraph + +[CmdletBinding(SupportsShouldProcess)] +param ( + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $managementResourceGroupName, + + [Parameter(Mandatory = $true)] + [string] + $workspaceResourceId, + + [Parameter(Mandatory = $true)] + [string] + $workspaceRegion, + + [Parameter(Mandatory = $true)] + [ValidateSet("MMAToAMA", "UpdateAMA")] + [string] + $migrationPath, + + [switch] + $deployUserAssignedManagedIdentity, + + [switch] + $deployVMInsights, + + [switch] + $deployChangeTracking, + + [switch] + $deployMDfCDefenderSQL, + + [switch] + $deployAzureUpdateManager, + + [switch] + $remediatePolicies, + + [switch] + $removeLegacyPolicyAssignments, + + [switch] + $removeLegacySolutions, + + [switch] + $updatePolicyDefinitions, + + [switch] + $removeObsoleteUAMI, + + [string] + $obsoleteUAMIResourceGroupName = "rg-ama-prod-001" +) + +function Add-RbacRolesToManagedIdentities { + [CmdletBinding(SupportsShouldProcess)] + Param( + [Parameter(Mandatory = $true)] + [string] + $enterpriseScaleCompanyPrefix, + + [Parameter()] + [array] + $azureComputePolicyList, + + [Parameter()] + [array] + $arcEnabledPolicyList + ) + + Write-Output "Retrieving Landing Zones management group ..." + + # Getting Platform and Landing Zones management groups + $platformMg = Get-AzManagementGroup | Where-Object { $_.Name -like "$enterpriseScaleCompanyPrefix*-platform" } -ErrorAction SilentlyContinue + $landingZonesMg = Get-AzManagementGroup | Where-Object { $_.Name -like "$enterpriseScaleCompanyPrefix*-landingzones" } -ErrorAction SilentlyContinue + + + if ($platformMg -and $landingZonesMg) { + + Write-Output "`tRetrieving role assignments on Landing Zones management group ..." + $landingZonesMgHybridRoleAssignments = Get-AzRoleAssignment -Scope $($landingZonesMg.Id) | where-object { $_.Displayname -in $arcEnabledPolicyList } | Sort-Object -Property ObjectId -Unique + $landingZonesMgVmiCtRoleAssignments = Get-AzRoleAssignment -Scope $($landingZonesMg.Id) | where-object { $_.Displayname -in $azureComputePolicyList } | Sort-Object -Property ObjectId -Unique + + # Performing role assignments + + if ($landingZonesMgVmiCtRoleAssignments) { + # Assigning Reader and Managed Identity Operator to VMInsights, Change Tracking and MDfC Defender for SQL Managed Identities + Write-Output "`t`tAssigning 'Reader' and 'Managed Identity Operator' roles to 'VMInsights', 'Change Tracking' and 'MDfC Defender for SQL' Managed Identities from Landing Zones to Platform management group ..." + $landingZonesMgVmiCtRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Reader' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + $landingZonesMgVmiCtRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Managed Identity Operator' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Landing Zones management group for the given 'VMInsights', 'Change Tracking' or 'MDfC Defender for SQL' Managed Identities." + } + + if ($landingZonesMgHybridRoleAssignments) { + # Assigning Reader to Hybrid VMInsights and Change Tracking Managed Identities + Write-Output "`t`tAssigning 'Reader' role to 'VMInsights' and 'Change Tracking' Managed Identity from Landing Zones on Platform management group ..." + $landingZonesMgHybridRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Reader' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Landing Zones management group for the given 'VMInsights' and 'Change Tracking' Managed Identities." + } + + } + else { + Write-Output "`tOne or more management group of type 'Platform' and 'Landing Zones' was not found. Make sure you have the necessary permissions and/or that the hierachy is Azure Landing Zones aligned." + } +} +function Start-PolicyRemediation { + [CmdletBinding(SupportsShouldProcess)] + Param( + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [string] $policyAssignmentName, + [Parameter(Mandatory = $true)] [string] $polassignId, + [Parameter(Mandatory = $false)] [string] $policyDefinitionReferenceId + ) + $guid = New-Guid + #create remediation for the individual policy + $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.PolicyInsights/remediations/$($policyName)-$($guid)?api-version=2021-10-01" + $body = @{ + properties = @{ + policyAssignmentId = "$polassignId" + } + } + if ($policyDefinitionReferenceId) { + $body.properties.policyDefinitionReferenceId = $policyDefinitionReferenceId + } + $body = $body | ConvertTo-Json -Depth 10 + Invoke-AzRestMethod -Uri $uri -Method PUT -Payload $body +} +function Get-PolicyType { + [CmdletBinding(SupportsShouldProcess)] + Param ( + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [string] $policyName + ) + + #Validate that the management group exists through the Azure REST API + $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)?api-version=2021-04-01" + $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 + if ($result.error) { + throw "Management group $managementGroupName does not exist, please specify a valid management group name" + } + + # Getting custom policySetDefinitions + $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policySetDefinitions?&api-version=2023-04-01" + $initiatives = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 + + #Get policy assignments at management group scope + $assignmentFound = $false + $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policyAssignments?`$filter=atScope()&api-version=2022-06-01" + $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 + + #iterate through the policy assignments + $result.value | ForEach-Object { + #check if the policy assignment is for the specified policy set definition + If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$policyName") { + # Go to enumerating policy set + $assignmentFound = $true + Enumerate-PolicySet -managementGroupName $managementGroupName -policyAssignmentObject $PSItem + } + Elseif ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policyDefinitions/$policyName") { + # Go to handling individual policy + $assignmentFound = $true + Enumerate-Policy -managementGroupName $managementGroupName -policyAssignmentObject $PSItem + } + Else { + # Getting parent initiative for unassigned individual policies + If ($initiatives) { + $parentInitiative = $initiatives.value | Where-Object { ($_.properties.policyType -eq 'Custom') -and ($_.properties.metadata -like '*_deployed_by_amba*') } | Where-Object { $_.properties.policyDefinitions.policyDefinitionReferenceId -eq $policyname } + + # Getting the assignment of the parent initiative + If ($parentInitiative) { + If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$($parentInitiative.name)") { + # Invoking policy remediation + $assignmentFound = $true + Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $PSItem.name -polassignId $PSItem.id -policyDefinitionReferenceId $policyName + } + } + } + } + } + + #if no policy assignments were found for the specified policy name, throw an error + If (!$assignmentFound) { + throw "No policy assignments found for policy $policyName at management group scope $managementGroupName" + } +} +function Enumerate-PolicySet { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [object] $policyAssignmentObject + ) + #extract policy assignment information + $policyAssignmentObject + $polassignId = $policyAssignmentObject.id + $name = $policyAssignmentObject.name + $policySetId = $policyAssignmentObject.properties.policyDefinitionId + $policySetId + $psetUri = "https://management.azure.com$($policySetId)?api-version=2021-06-01" + $policySet = (Invoke-AzRestMethod -Uri $psetUri -Method GET).Content | ConvertFrom-Json -Depth 100 + $policySet + $policies = $policySet.properties.policyDefinitions + #iterate through the policies in the policy set + Foreach ($policy in $policies) { + $policyDefinitionId = $policy.policyDefinitionId + $policyDefinitionReferenceId = $policy.policyDefinitionReferenceId + #trigger remediation for the individual policy + Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId + } +} +function Enumerate-Policy { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [object] $policyAssignmentObject + ) + #extract policy assignment information + $polassignId = $policyAssignmentObject.id + $name = $policyAssignmentObject.name + $policyDefinitionId = $policyAssignmentObject.properties.policyDefinitionId + Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId +} +function Update-Policies { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $location + ) + begin { + $resultsPolicy = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $eslzRoot -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyDefinitions\policies.json" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot } | Out-string -Stream | Select-String -Pattern 'Resource changes' + $resultsPolicySet = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $eslzRoot -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyDefinitions\initiatives.json" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + process { + if ($PSCmdlet.ShouldProcess($eslzRoot, "- Updating Policy Definitions: $resultsPolicy")) { + # Update Policy Definitions + Write-Host "- Updating Policy Definitions: $resultsPolicy ..." -ForegroundColor DarkCyan + New-AzManagementGroupDeployment -ManagementGroupId $eslzRoot -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyDefinitions\policies.json" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot } > $null + } + if ($PSCmdlet.ShouldProcess($eslzRoot, "- Updating Policy Set Definitions: $resultsPolicySet")) { + # Update Policy Set Definitions + Write-Host "- Updating Policy Set Definitions: $resultsPolicySet ..." -ForegroundColor DarkCyan + New-AzManagementGroupDeployment -ManagementGroupId $eslzRoot -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyDefinitions\initiatives.json" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot } > $null + } + } +} +function Remove-LegacyAssignments { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $scope, + + [Parameter(Mandatory = $true)] + [array] + $legacyAssignments + ) + process { + foreach ($legacyAssignment in $legacyAssignments) { + $assignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/$legacyAssignment" -ErrorAction SilentlyContinue + if ($PSCmdlet.ShouldProcess($scope, "- Removing legacy Policy Assignments: $($assignment.Name)")) { + if ($assignment) { + Write-Host "- Removing legacy Policy Assignments: $($assignment.Name) from scope $scope ..." -ForegroundColor DarkRed + Remove-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/$legacyAssignment" > $null + } + else { + Write-Host "- No legacy Policy Assignments found ..." -ForegroundColor DarkGray + } + } + } + } +} +function Deploy-UserAssignedManagedIdentity { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $managementResourceGroupName, + + [Parameter(Mandatory = $true)] + [string] + $platformScope, + + [Parameter(Mandatory = $true)] + [string] + $userAssignedIdentityName + ) + begin { + $uami = Get-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue + $uamiAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$platformScope/providers/microsoft.authorization/policyassignments/DenyAction-DeleteUAMIAMA" -ErrorAction SilentlyContinue + $resultsUAMI = Get-AzResourceGroupDeploymentWhatIfResult -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\userAssignedIdentity.json" -TemplateParameterObject @{"location" = $location; "userAssignedIdentityName" = $userAssignedIdentityName; "userAssignedIdentityResourceGroup" = $managementResourceGroupName } | Out-string -Stream | Select-String -Pattern 'Resource changes' + $resultsUAMIAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $platformScope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\DENYACTION-DeleteUAMIAMAPolicyAssignment.json" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "resourceName" = $userAssignedIdentityName; "resourceType" = "Microsoft.ManagedIdentity/userAssignedIdentities" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + process { + if ($PSCmdlet.ShouldProcess($managementResourceGroupName, "- Deploying User Assigned Managed Identity: ${userAssignedIdentityName}; $resultsUAMI")) { + if ($uami) { + Write-Host "- Found existing User Assigned Managed Identity $userAssignedIdentityName ..." -ForegroundColor DarkGray + } + if (-NOT($uami)) { + Write-Host "- Deploying User Assigned Managed Identity: Name: ${userAssignedIdentityName} to resource group ${managementResourceGroupName}; $resultsUAMI ..." -ForegroundColor DarkGreen + New-AzResourceGroupDeployment -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\userAssignedIdentity.json" -TemplateParameterObject @{"location" = $location; "userAssignedIdentityName" = $userAssignedIdentityName; "userAssignedIdentityResourceGroup" = $managementResourceGroupName } > $null + } + } + if ($PSCmdlet.ShouldProcess($platformScope, "- Assigning 'DenyAction-DeleteUAMIAMA' policy: $resultsUAMIAssignment")) { + if ($uamiAssignment) { + Write-Host "- Found existing policy assignment: $($uamiAssignment.Name) on $platformScope ..." -ForegroundColor DarkGray + } + if (-NOT($uamiAssignment)) { + Write-Host "- Assigning 'DenyAction-DeleteUAMIAMA' policy to scope $platformScope ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $platformScope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\DENYACTION-DeleteUAMIAMAPolicyAssignment.json" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "resourceName" = $userAssignedIdentityName; "resourceType" = "Microsoft.ManagedIdentity/userAssignedIdentities" } > $null + } + } + } +} +function Deploy-VMInsights { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $managementResourceGroupName, + + [Parameter(Mandatory = $true)] + [string] + $workspaceResourceId, + + [Parameter(Mandatory = $true)] + [string] + $userAssignedIdentityName, + + [Parameter(Mandatory = $true)] + [array] + $scopes, + + [Parameter(Mandatory = $true)] + [array] + $VMInsightsAssignmentTemplates, + + [Parameter(Mandatory = $true)] + [string] + $migrationPath + ) + begin { + $userAssignedIdentityResourceId = (Get-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue).Id + $dataCollectionRuleVmInsightsName = "dcr-vminsights-prod-$location-001" + $dcrVMinsights = Get-AzDataCollectionRule -Name $dataCollectionRuleVmInsightsName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue + $resultsDcrVMInsights = Get-AzResourceGroupDeploymentWhatIfResult -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\dataCollectionRule-VmInsights.json" -TemplateParameterObject @{"userGivenDcrName" = $dataCollectionRuleVmInsightsName; "workspaceResourceId" = $workspaceResourceId; "workspaceLocation" = $location } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + process { + if ($PSCmdlet.ShouldProcess($managementResourceGroupName, "- Deploying a data collection rule for VMInsights: Name: ${dataCollectionRuleVmInsightsName}; $resultsDcrVMInsights")) { + if ($dcrVMinsights) { + Write-Host "- Found existing data collection rule: $($dcrVMinsights.Name) ..." -ForegroundColor DarkGray + } + if (-NOT($dcrVMinsights)) { + Write-Host "- Deploying a data collection rule for VMInsights: Name: ${dataCollectionRuleVmInsightsName} to resource group ${managementResourceGroupName}; $resultsDcrVMInsights ..." -ForegroundColor DarkGreen + New-AzResourceGroupDeployment -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\dataCollectionRule-VmInsights.json" -TemplateParameterObject @{"userGivenDcrName" = $dataCollectionRuleVmInsightsName; "workspaceResourceId" = $workspaceResourceId; "workspaceLocation" = $location } > $null + } + $dataCollectionRuleResourceIdVMInsights = (Get-AzDataCollectionRule -Name $dataCollectionRuleVmInsightsName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue).Id + } + # Assign policies for VMInsights + foreach ($scope in $scopes) { + foreach ($template in $VMInsightsAssignmentTemplates) { + if ($template -eq "DINE-VMMonitoringPolicyAssignment.json") { + $vminsightsAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-VM-Monitoring" -ErrorAction SilentlyContinue + $resultsVminsightsAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = "placeholder"; "userAssignedIdentityResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + if ($template -eq "DINE-VMSSMonitoringPolicyAssignment.json") { + $vminsightsAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-VMSS-Monitoring" -ErrorAction SilentlyContinue + $resultsVminsightsAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = "placeholder"; "userAssignedIdentityResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + if ($template -eq "DINE-VMHybridMonitoringPolicyAssignment.json") { + $vminsightsAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-vmHybr-Monitoring" -ErrorAction SilentlyContinue + $resultsVminsightsAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + if ($vminsightsAssignment) { + if ($migrationPath -eq "UpdateAMA") { + if ($PSCmdlet.ShouldProcess($scope, "- Updating policy assignment for VMInsights: $($vminsightsAssignment.Name); $resultsVminsightsAssignment")) { + if ($template -eq "DINE-VMHybridMonitoringPolicyAssignment.json") { + Write-Host "- Updating policy assignment for VMInsights: $($vminsightsAssignment.Name) on $($scope); $resultsVminsightsAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdVMInsights } -ErrorAction SilentlyContinue > $null + } + if ($template -eq "DINE-VMSSMonitoringPolicyAssignment.json" -or $template -eq "DINE-VMMonitoringPolicyAssignment.json") { + Write-Host "- Updating policy assignment for VMInsights: $($vminsightsAssignment.Name) on $($scope); $resultsVminsightsAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdVMInsights; "userAssignedIdentityResourceId" = $userAssignedIdentityResourceId } -ErrorAction SilentlyContinue > $null + } + } + } + else { + Write-Host "- Found existing policy assignment: $($vminsightsAssignment.Name) on $($scope) ..." -ForegroundColor DarkGray + } + } + if (-NOT($vminsightsAssignment)) { + if ($PSCmdlet.ShouldProcess($scope, "- Assigning policies for VMInsights: ${template}; $resultsVminsightsAssignment")) { + if ($template -eq "DINE-VMHybridMonitoringPolicyAssignment.json") { + Write-Host "- Assigning policies for VMInsights: ${template} to scope ${scope}; $resultsVminsightsAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdVMInsights } > $null + } + if ($template -eq "DINE-VMSSMonitoringPolicyAssignment.json" -or $template -eq "DINE-VMMonitoringPolicyAssignment.json") { + Write-Host "- Assigning policies for VMInsights: ${template} to scope ${scope}; $resultsVminsightsAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdVMInsights; "userAssignedIdentityResourceId" = $userAssignedIdentityResourceId } > $null + } + } + } + } + } + # Assign roles to Managed Identities + if ($PSCmdlet.ShouldProcess($scope, "- Assigning roles to Managed Identities")) { + Write-Host "- Assigning roles to Managed Identities ..." -ForegroundColor DarkGreen + Add-RbacRolesToManagedIdentities -enterpriseScaleCompanyPrefix $eslzRoot -azureComputePolicyList @("Deploy-VM-Monitoring", "Deploy-VMSS-Monitoring") -arcEnabledPolicyList @("Deploy-vmHybr-Monitoring") > $null + } + } +} +function Deploy-ChangeTracking { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $managementResourceGroupName, + + [Parameter(Mandatory = $true)] + [string] + $workspaceResourceId, + + [Parameter(Mandatory = $true)] + [string] + $userAssignedIdentityName, + + [Parameter(Mandatory = $true)] + [array] + $scopes, + + [Parameter(Mandatory = $true)] + [array] + $ChangeTrackingAssignmentTemplates, + + [Parameter(Mandatory = $true)] + [string] + $migrationPath + ) + begin { + $userAssignedIdentityResourceId = (Get-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue).Id + $dataCollectionRuleChangeTrackingName = "dcr-changetracking-prod-$location-001" + $dcrChangeTracking = Get-AzDataCollectionRule -Name $dataCollectionRuleChangeTrackingName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue + $resultsDcrChangeTracking = Get-AzResourceGroupDeploymentWhatIfResult -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\dataCollectionRule-CT.json" -TemplateParameterObject @{"dataCollectionRuleName" = $dataCollectionRuleChangeTrackingName; "workspaceResourceId" = $workspaceResourceId; "workspaceLocation" = $location } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + process { + if ($PSCmdlet.ShouldProcess($managementResourceGroupName, "Deploying a data collection rule for ChangeTracking: Name: ${dataCollectionRuleChangeTrackingName}; $resultsDcrChangeTracking")) { + if ($dcrChangeTracking) { + Write-Host "- Found existing data collection rule: $($dcrChangeTracking.Name) ..." -ForegroundColor DarkGray + } + if (-NOT($dcrChangeTracking)) { + Write-Host "- Deploying a data collection rule for ChangeTracking: Name: ${dataCollectionRuleChangeTrackingName} to resource group ${managementResourceGroupName}; $resultsDcrChangeTracking ..." -ForegroundColor DarkGreen + New-AzResourceGroupDeployment -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\dataCollectionRule-CT.json" -TemplateParameterObject @{"dataCollectionRuleName" = $dataCollectionRuleChangeTrackingName; "workspaceResourceId" = $workspaceResourceId; "workspaceLocation" = $location } > $null + } + $dataCollectionRuleResourceIdChangeTracking = (Get-AzDataCollectionRule -Name $dataCollectionRuleChangeTrackingName -ResourceGroupName $managementResourceGroupName).Id + } + # Assign policies for ChangeTracking + foreach ($scope in $scopes) { + foreach ($template in $ChangeTrackingAssignmentTemplates) { + if ($template -eq "DINE-ChangeTrackingVMPolicyAssignment.json") { + $changeTrackingAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-VM-ChangeTrack" -ErrorAction SilentlyContinue + $resultChangeTrackingAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = "placeholder"; "userAssignedIdentityResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + if ($template -eq "DINE-ChangeTrackingVMSSPolicyAssignment.json") { + $changeTrackingAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-VMSS-ChangeTrack" -ErrorAction SilentlyContinue + $resultChangeTrackingAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = "placeholder"; "userAssignedIdentityResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + if ($template -eq "DINE-ChangeTrackingVMArcPolicyAssignment.json") { + $changeTrackingAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-vmArc-ChangeTrack" -ErrorAction SilentlyContinue + $resultChangeTrackingAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + if ($changeTrackingAssignment) { + if ($migrationPath -eq "UpdateAMA") { + if ($PSCmdlet.ShouldProcess($scope, "- Updating policy assignment for ChangeTracking: $($changeTrackingAssignment.Name); $resultChangeTrackingAssignment")) { + if ($template -eq "DINE-ChangeTrackingVMArcPolicyAssignment.json") { + Write-Host "- Updating policy assignment for ChangeTracking: $($changeTrackingAssignment.Name) on $($scope); $resultChangeTrackingAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdChangeTracking } -ErrorAction SilentlyContinue > $null + } + if ($template -eq "DINE-ChangeTrackingVMPolicyAssignment.json" -or $template -eq "DINE-ChangeTrackingVMSSPolicyAssignment.json") { + Write-Host "- Updating policy assignment for ChangeTracking: $($changeTrackingAssignment.Name) on $($scope); $resultChangeTrackingAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdChangeTracking; "userAssignedIdentityResourceId" = $userAssignedIdentityResourceId } -ErrorAction SilentlyContinue > $null + } + } + } + else { + Write-Host "- Found existing policy assignment: $($changeTrackingAssignment.Name) on $($scope) ..." -ForegroundColor DarkGray + } + } + if (-NOT($changeTrackingAssignment)) { + if ($PSCmdlet.ShouldProcess($scope, "- Assigning policies for ChangeTracking: ${template}; $resultChangeTrackingAssignment")) { + if ($template -eq "DINE-ChangeTrackingVMArcPolicyAssignment.json") { + Write-Host "- Assigning policies for ChangeTracking: $template to scope ${scope}; $resultChangeTrackingAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdChangeTracking } > $null + } + if ($template -eq "DINE-ChangeTrackingVMPolicyAssignment.json" -or $template -eq "DINE-ChangeTrackingVMSSPolicyAssignment.json") { + Write-Host "- Assigning policies for ChangeTracking: $template to scope ${scope}; $resultChangeTrackingAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "dataCollectionRuleResourceId" = $dataCollectionRuleResourceIdChangeTracking; "userAssignedIdentityResourceId" = $userAssignedIdentityResourceId } > $null + } + } + } + } + } + # Assign roles to Managed Identities + if ($PSCmdlet.ShouldProcess($scope, "- Assigning roles to Managed Identities")) { + Write-Host "- Assigning roles to Managed Identities ..." -ForegroundColor DarkGreen + Add-RbacRolesToManagedIdentities -enterpriseScaleCompanyPrefix $eslzRoot -azureComputePolicyList @("Deploy-VM-ChangeTrack", "Deploy-VMSS-ChangeTrack") -arcEnabledPolicyList @("Deploy-vmArc-ChangeTrack") > $null + } + } +} +function Deploy-MDFCDefenderSQL { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $managementResourceGroupName, + + [Parameter(Mandatory = $true)] + [string] + $workspaceResourceId, + + [Parameter(Mandatory = $true)] + [string] + $userAssignedIdentityName, + + [Parameter(Mandatory = $true)] + [array] + $scopes, + + [Parameter(Mandatory = $true)] + [array] + $MDfCDefenderSQLAssignmentTemplates + ) + begin { + $userAssignedIdentityResourceId = (Get-AzUserAssignedIdentity -Name $userAssignedIdentityName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue).Id + $dataCollectionRuleMdfcDefenderSqlName = "dcr-defendersql-prod-$location-001" + $dcrMDfCDefenderSQL = Get-AzDataCollectionRule -Name $dataCollectionRuleMdfcDefenderSqlName -ResourceGroupName $managementResourceGroupName -ErrorAction SilentlyContinue + $resultsDcrMDfCDefenderSQL = Get-AzResourceGroupDeploymentWhatIfResult -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\dataCollectionRule-DefenderSQL.json" -TemplateParameterObject @{"userGivenDcrName" = $dataCollectionRuleMdfcDefenderSqlName; "workspaceResourceId" = $workspaceResourceId; "workspaceLocation" = $location } | Out-string -Stream | Select-String -Pattern 'Resource changes' + } + process { + if ($PSCmdlet.ShouldProcess($managementResourceGroupName, "- Deploying a data collection rule for MDFC Defender for SQL: Name: ${dataCollectionRuleMdfcDefenderSqlName}; $resultsDcrMDfCDefenderSQL")) { + if ($dcrMDfCDefenderSQL) { + Write-Host "- Found existing data collection rule: $($dcrMDfCDefenderSQL.Name) ..." -ForegroundColor DarkGray + } + if (-NOT($dcrMDfCDefenderSQL)) { + Write-Host "- Deploying a data collection rule for MDFC Defender for SQL: Name: ${dataCollectionRuleMdfcDefenderSqlName} to resource group ${managementResourceGroupName}; $resultsDcrMDfCDefenderSQL ..." -ForegroundColor DarkGreen + New-AzResourceGroupDeployment -ResourceGroupName $managementResourceGroupName -TemplateFile ".\eslzArm\resourceGroupTemplates\dataCollectionRule-DefenderSQL.json" -TemplateParameterObject @{"userGivenDcrName" = $dataCollectionRuleMdfcDefenderSqlName; "workspaceResourceId" = $workspaceResourceId; "workspaceLocation" = $location } > $null + } + $dataCollectionRuleResourceIdMDfCDefenderSQL = (Get-AzDataCollectionRule -Name $dataCollectionRuleMdfcDefenderSqlName -ResourceGroupName $managementResourceGroupName).Id + } + # Assign policies for MDFC Defender for SQL + foreach ($scope in $scopes) { + foreach ($template in $MDfCDefenderSQLAssignmentTemplates) { + $resultsMDfCDefenderSQLAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "userWorkspaceResourceId" = $workspaceResourceId; "workspaceRegion" = $location; "dcrResourceId" = "placeholder"; "userAssignedIdentityResourceId" = "placeholder" } | Out-string -Stream | Select-String -Pattern 'Resource changes' + if ($PSCmdlet.ShouldProcess($scope, "- Assigning policies for MDFC Defender for SQL: ${template} to scope ${scope}; $resultsMDfCDefenderSQLAssignment")) { + $mdfcDefenderSQLAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Deploy-MDFC-DefSQL-AMA" -ErrorAction SilentlyContinue + if ($mdfcDefenderSQLAssignment) { + Write-Host "- Found existing policy assignment: $($mdfcDefenderSQLAssignment.Name) on $($scope) ..." -ForegroundColor DarkGray + } + if (-NOT($mdfcDefenderSQLAssignment)) { + Write-Host "- Assigning policies for MDFC Defender for SQL: ${template} to scope ${scope}; $resultsMDfCDefenderSQLAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope; "userWorkspaceResourceId" = $workspaceResourceId; "workspaceRegion" = $workspaceRegion; "dcrResourceId" = $dataCollectionRuleResourceIdMDfCDefenderSQL; "userAssignedIdentityResourceId" = $userAssignedIdentityResourceId } > $null + } + } + } + } + # Assign roles to Managed Identities + if ($PSCmdlet.ShouldProcess($scope, "- Assigning roles to Managed Identities")) { + Write-Host "- Assigning roles to Managed Identities ..." -ForegroundColor DarkGreen + Add-RbacRolesToManagedIdentities -enterpriseScaleCompanyPrefix $eslzRoot -azureComputePolicyList @("Deploy-MDFC-DefSQL-AMA") > $null + } + } +} +function Deploy-AzureUpdateManager { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $eslzRoot, + + [Parameter(Mandatory = $true)] + [string] + $managementResourceGroupName, + + [Parameter(Mandatory = $true)] + [string] + $workspaceResourceId, + + [Parameter(Mandatory = $true)] + [string] + $userAssignedIdentityName + ) + process { + foreach ($scope in $scopes) { + foreach ($template in $AzureUpdateManagerAssignmentTemplates) { + $resultsAzureUpdateManagerAssignment = Get-AzManagementGroupDeploymentWhatIfResult -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope } | Out-string -Stream | Select-String -Pattern 'Resource changes' + if ($PSCmdlet.ShouldProcess($scope, "- Assigning policies for Azure Update Manager: ${template}; $resultsAzureUpdateManagerAssignment")) { + $azureUpdateManagerAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/$scope/providers/microsoft.authorization/policyassignments/Enable-AUM-CheckUpdates" -ErrorAction SilentlyContinue + if ($azureUpdateManagerAssignment) { + Write-Host "- Found existing policy assignment: $($azureUpdateManagerAssignment.Name) on $($scope) ..." -ForegroundColor DarkGray + } + if (-NOT($azureUpdateManagerAssignment)) { + Write-Host "- Assigning policies for Azure Update Manager: ${template} to scope ${scope}; $resultsAzureUpdateManagerAssignment ..." -ForegroundColor DarkGreen + New-AzManagementGroupDeployment -ManagementGroupId $scope -Location $location -TemplateFile ".\eslzArm\managementGroupTemplates\policyAssignments\$template" -TemplateParameterObject @{"topLevelManagementGroupPrefix" = $eslzRoot; "scope" = $scope } > $null + } + } + } + } + } +} +function Remove-LegacySolutions { + [CmdletBinding(SupportsShouldProcess)] + param () + begin { + $legacySolutions = Get-AzMonitorLogAnalyticsSolution | Where-Object { $_.Name -notlike "SecurityInsights*" -and $_.Name -notlike "ChangeTracking*" } + } + process { + foreach ($legacySolution in $legacySolutions) { + if ($PSCmdlet.ShouldProcess($legacySolution.WorkspaceResourceId, "- Removing legacy solutions: $($legacySolution.Name)")) { + Write-Host "- Removing legacy solution: $($legacySolution.Name) ..." -ForegroundColor DarkRed + $legacySolution | Remove-AzMonitorLogAnalyticsSolution > $null + } + } + if (-NOT($legacySolutions)) { + Write-Host "- No legacy solutions found ..." -ForegroundColor DarkGray + } + } +} +function Remove-ObsoleteUAMI { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter(Mandatory = $true)] + [string] + $location, + + [Parameter(Mandatory = $true)] + [string] + $obsoleteUAMIResourceGroupName + ) + begin { + $results = Search-AzGraph -Query "resources | where type == 'microsoft.managedidentity/userassignedidentities' | where name == 'id-ama-prod-$location-001' | where resourceGroup == '$obsoleteUAMIResourceGroupName'" + $denyActionAssignment = Get-AzPolicyAssignment -Id "/providers/microsoft.management/managementgroups/contoso-platform/providers/microsoft.authorization/policyassignments/denyaction-deleteuamiama" + $ExpiresOn = (Get-Date).AddDays(1).ToString("yyyy-MM-dd") + } + process { + foreach ($result in $results) { + if ($PSCmdlet.ShouldProcess($result.subscriptionId, "- Removing obsolete User Assigned Managed Identity: $($result.Name)")) { + Write-Host "- Removing obsolete User Assigned Managed Identity: $($result.Name) from $($result.subscriptionId) ..." -ForegroundColor DarkRed + New-AzPolicyExemption -Name "exempt-delete-uami-ama-$($result.subscriptionId)" -PolicyAssignment $denyActionAssignment -Scope $result.id -ExpiresOn $ExpiresOn -Description "Exempted for AMA migration" -ExemptionCategory "Waiver" -ErrorAction SilentlyContinue > $null + Set-AzContext -SubscriptionId $result.subscriptionId > $null + Remove-AzUserAssignedIdentity -ResourceGroupName $result.resourceGroup -name $result.name > $null + if (-NOT(Get-AzResource -ResourceGroupName $result.resourceGroup)) { + Remove-AzResourceGroup -Name $result.resourceGroup -Force -ErrorAction SilentlyContinue > $null + } + } + } + if (-NOT($results)) { + Write-Host "- No obsolete User Assigned Managed Identities found ..." -ForegroundColor DarkGray + } + } +} + +# Generate 8 character random string (combination of lowercase letters and integers) +$userConfirmationRandomID = -join ((48..57) + (97..122) | Get-Random -Count 8 | ForEach-Object { [char]$_ }) +Write-Host "`r`nIMPORTANT: THIS SCRIPT WILL DEPLOY, UNASSIGN AND REMOVE RESOURCES!`r`n" -ForegroundColor DarkRed +Write-Host "We recommend that you have carefully assessed your current state and followed the guidance`r`nfrom both the Azure Landing Zones documentation and the public documentation that it references." -ForegroundColor DarkYellow +Write-Host "`r`nUse the -WhatIf parameter to see what the changes will do before you apply them." -ForegroundColor DarkYellow +Write-Host "`r`nPlease enter the following random string exactly: $userConfirmationRandomID`r`n" -ForegroundColor DarkYellow +Write-Host "Please enter the random string shown above to confirm you wish to contine running this script." -ForegroundColor DarkYellow +$userConfirmationInputString = Read-Host -Prompt "(Leave blank or type anything that doesn't match the string above to cancel/terminate)" + +if ($userConfirmationInputString -eq $userConfirmationRandomID) { + Write-Host "`r`nConfirmation string entered successfully, proceeding to update Azure Landing Zones to use AMA ...`r`n" -ForegroundColor DarkGreen +} +else { + Write-Host "Confirmation string not entered or incorrect, terminating script ..." -ForegroundColor Red + throw "Confirmation string not entered or incorrectly entered, terminating script ..." +} + +$landingZoneScope = "$eslzRoot-landingzones" +$platformScope = "$eslzRoot-platform" +$scopes = @( + $platformScope, + $landingZoneScope +) +$legacyAssignmentsMMAToAMA = @( + "deploy-vm-monitoring", + "deploy-vmss-monitoring" +) +$legacyAssignmentsUpdateAMA = @( + "deploy-mdfc-defensql-ama", + "deploy-uami-vminsights" +) +$userAssignedIdentityName = "id-ama-prod-$location-001" +$VMInsightsAssignmentTemplates = @( + "DINE-VMMonitoringPolicyAssignment.json", + "DINE-VMSSMonitoringPolicyAssignment.json", + "DINE-VMHybridMonitoringPolicyAssignment.json" +) +$ChangeTrackingAssignmentTemplates = @( + "DINE-ChangeTrackingVMPolicyAssignment.json", + "DINE-ChangeTrackingVMSSPolicyAssignment.json", + "DINE-ChangeTrackingVMArcPolicyAssignment.json" +) +$MDfCDefenderSQLAssignmentTemplates = @( + "DINE-MDFCDefenderSQLAMAPolicyAssignment.json" +) +$AzureUpdateManagerAssignmentTemplates = @( + "MODIFY-AUM-CheckUpdatesPolicyAssignment.json" +) +$policyRemediationList = @( + "c4a70814-96be-461c-889f-2b27429120dc", + "92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "53448c70-089b-4f52-8f38-89196d7f2de1", + "f5bf694c-cca7-4033-b883-3a23327d5485", + "924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "de01d381-bae9-4670-8870-786f89f49e26", + "Deploy-AUM-CheckUpdates" +) + +# Update Policy Definitions +if ($UpdatePolicyDefinitions) { + Write-Host "`r`nUpdating Policies ...`r`n" -ForegroundColor DarkBlue + Update-Policies -eslzRoot $eslzRoot -location $location +} + +# Remove legacy Policy Assignments for for MMA to AMA migration path +If ($RemoveLegacyPolicyAssignments -and $migrationPath -eq "MMAtoAMA") { + Write-Host "`r`nRemoving legacy Policy Assignments ...`r`n" -ForegroundColor DarkBlue + Remove-LegacyAssignments -scope $eslzRoot -legacyAssignments $legacyAssignmentsMMAToAMA +} + +# Remove legacy Policy Assignments for Update AMA migration path +If ($RemoveLegacyPolicyAssignments -and $migrationPath -eq "UpdateAMA") { + Write-Host "`r`nRemoving legacy Policy Assignments ...`r`n" -ForegroundColor DarkBlue + foreach ($scope in $scopes) { + Remove-LegacyAssignments -scope $scope -legacyAssignments $legacyAssignmentsUpdateAMA + } +} + +# Deploy User Assigned Managed Identity +if ($DeployUserAssignedManagedIdentity -or $DeployVMInsights -or $DeployChangeTracking -or $DeployMDfCDefenderSQL) { + Write-Host "`r`nDeploying User Assigned Managed Identity ...`r`n" -ForegroundColor DarkBlue + Deploy-UserAssignedManagedIdentity -eslzRoot $eslzRoot -location $location -managementResourceGroupName $managementResourceGroupName -platformScope $platformScope -userAssignedIdentityName $userAssignedIdentityName +} + +# Deploy VMInsights +if ($DeployVMInsights) { + Write-Host "`r`nDeploying VMInsights ...`r`n" -ForegroundColor DarkBlue + Deploy-VMInsights -location $location -eslzRoot $eslzRoot -managementResourceGroupName $managementResourceGroupName -workspaceResourceId $workspaceResourceId -userAssignedIdentityName $userAssignedIdentityName -scopes $scopes -VMInsightsAssignmentTemplates $VMInsightsAssignmentTemplates -migrationPath $migrationPath +} + +# Deploy ChangeTracking +if ($DeployChangeTracking) { + Write-Host "`r`nDeploying ChangeTracking ...`r`n" -ForegroundColor DarkBlue + Deploy-ChangeTracking -location $location -eslzRoot $eslzRoot -managementResourceGroupName $managementResourceGroupName -workspaceResourceId $workspaceResourceId -userAssignedIdentityName $userAssignedIdentityName -scopes $scopes -ChangeTrackingAssignmentTemplates $ChangeTrackingAssignmentTemplates -migrationPath $migrationPath +} + +# Deploy MDFC Defender for SQL +if ($DeployMDfCDefenderSQL) { + Write-Host "`r`nDeploying MDFC Defender for SQL ...`r`n" -ForegroundColor DarkBlue + Deploy-MDFCDefenderSQL -location $location -eslzRoot $eslzRoot -managementResourceGroupName $managementResourceGroupName -workspaceResourceId $workspaceResourceId -userAssignedIdentityName $userAssignedIdentityName -scopes $scopes -MDfCDefenderSQLAssignmentTemplates $MDfCDefenderSQLAssignmentTemplates +} + +# Deploy Azure Update Manager +if ($DeployAzureUpdateManager -and $migrationPath -eq "MMAtoAMA") { + Write-Host "`r`nDeploying Azure Update Manager ...`r`n" -ForegroundColor DarkBlue + Deploy-AzureUpdateManager -location $location -eslzRoot $eslzRoot -managementResourceGroupName $managementResourceGroupName -workspaceResourceId $workspaceResourceId -userAssignedIdentityName $userAssignedIdentityName +} + +# Remove legacy solutions +If ($RemoveLegacySolutions -and $migrationPath -eq "MMAtoAMA") { + Write-Host "`r`nRemoving legacy solutions ...`r`n" -ForegroundColor DarkBlue + Remove-LegacySolutions +} + +# Policy Remediation +if ($RemediatePolicies) { + Write-Host "`r`nRemediating policies ...`r`n" -ForegroundColor DarkBlue + foreach ($policy in $policyRemediationList) { + Get-PolicyType -managementGroupName $landingZoneScope -policyName $policy > $null + Get-PolicyType -managementGroupName $platformScope -policyName $policy > $null + } +} + +# Remove obsolete User Assigned Managed Identities +if ($removeObsoleteUAMI -and $migrationPath -eq "UpdateAMA") { + Write-Host "`r`nRemoving obsolete User Assigned Managed Identities ...`r`n" -ForegroundColor DarkBlue + Remove-ObsoleteUAMI -location $location -obsoleteUAMIResourceGroupName $obsoleteUAMIResourceGroupName +} diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep new file mode 100644 index 0000000000..a1a7e7c233 --- /dev/null +++ b/src/templates/initiatives.bicep @@ -0,0 +1,143 @@ +targetScope = 'managementGroup' + +@metadata({ message: 'The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!' }) +@description('Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = "alz"') +@maxLength(10) +param topLevelManagementGroupPrefix string = 'alz' + +@description('Optionally set the deployment location for policies with Deploy If Not Exists effect. DEFAULT VALUE = "deployment().location"') +param location string = deployment().location + +@description('Optionally set the scope for custom Policy Definitions used in Policy Set Definitions (Initiatives). Must be one of \'/\', \'/subscriptions/id\' or \'/providers/Microsoft.Management/managementGroups/id\'. DEFAULT VALUE = \'/providers/Microsoft.Management/managementGroups/\${topLevelManagementGroupPrefix}\'') +param scope string = tenantResourceId('Microsoft.Management/managementGroups', topLevelManagementGroupPrefix) + +// Extract the environment name to dynamically determine which policies to deploy. +var cloudEnv = environment().name + +// Default deployment locations used in templates +var defaultDeploymentLocationByCloudType = { + AzureCloud: 'northeurope' + AzureChinaCloud: 'chinaeast2' + AzureUSGovernment: 'usgovvirginia' +} + +// Used to identify template variables used in the templates for replacement. +var templateVars = { + scope: '/providers/Microsoft.Management/managementGroups/contoso' + defaultDeploymentLocation: '"location": "northeurope"' + localizedDeploymentLocation: '"location": "${defaultDeploymentLocationByCloudType[cloudEnv]}"' +} + +// The following var contains lists of files containing Policy Set Definition (Initiative) resources to load, grouped by compatibility with Cloud. +// To get a full list of Azure clouds, use the az cli command "az cloud list --output table" +// We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates. +var loadPolicySetDefinitions = { + All: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json') // FSI specific initiative + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json') // FSI specific initiative + ] + AzureCloud: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json') // Unable to validate if all Azure Site Recovery features are working in other clouds + ] + AzureChinaCloud: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (051cba44-2429-45b9-9649-46cec11c7119), and replacement custom Policy Definitions ("Deploy-MySQLCMKEffect", "Deploy-PostgreSQLCMKEffect") + ] + AzureUSGovernment: [ + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (5e1de0e3-42cb-4ebc-a86d-61d0c619ca48, c9299215-ae47-4f50-9c54-8a392f68a052) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 1f725891-01c0-420a-9059-4fa46cb770b7) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (83cef61d-dbd1-4b20-a4fc-5fbc7da10833, 18adea5e-f416-4d0f-8aa8-d24321e3e274, 051cba44-2429-45b9-9649-46cec11c7119) + ] +} + +// The following vars are used to manipulate the imported Policy Set Definitions to replace Policy Definition scope values +var processPolicySetDefinitionsAll = [for content in loadPolicySetDefinitions.All: replace(content, templateVars.scope, scope)] +var processPolicySetDefinitionsAzureCloud = [for content in loadPolicySetDefinitions.AzureCloud: replace(content, templateVars.scope, scope)] +var processPolicySetDefinitionsAzureChinaCloud = [for content in loadPolicySetDefinitions.AzureChinaCloud: replace(content, templateVars.scope, scope)] +var processPolicySetDefinitionsAzureUSGovernment = [for content in loadPolicySetDefinitions.AzureUSGovernment: replace(content, templateVars.scope, scope)] + +// The following vars are used to convert the imported Policy Set Definitions into objects from JSON +var policySetDefinitionsAll = [for content in processPolicySetDefinitionsAll: json(content)] +var policySetDefinitionsAzureCloud = [for content in processPolicySetDefinitionsAzureCloud: json(content)] +var policySetDefinitionsAzureChinaCloud = [for content in processPolicySetDefinitionsAzureChinaCloud: json(content)] +var policySetDefinitionsAzureUSGovernment = [for content in processPolicySetDefinitionsAzureUSGovernment: json(content)] + +// The following var is used to compile the required Policy Definitions into a single object +var policySetDefinitionsByCloudType = { + All: policySetDefinitionsAll + AzureCloud: policySetDefinitionsAzureCloud + AzureChinaCloud: policySetDefinitionsAzureChinaCloud + AzureUSGovernment: policySetDefinitionsAzureUSGovernment +} + +// The following var is used to extract the Policy Set Definitions into a single list for deployment +// This will contain all policy set definitions classified as available for All cloud environments, and those for the current cloud environment +var policySetDefinitions = concat(policySetDefinitionsByCloudType.All, policySetDefinitionsByCloudType[cloudEnv]) + +// Create the Policy Definitions as needed for the target cloud environment +// Depends on Policy Definitons to ensure they exist before creating dependent Policy Set Definitions (Initiatives) +resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = [for policy in policySetDefinitions: { + // dependsOn: [ + // PolicyDefinitions + // ] + name: policy.name + properties: { + description: policy.properties.description + displayName: policy.properties.displayName + metadata: policy.properties.metadata + parameters: policy.properties.parameters + policyType: policy.properties.policyType + policyDefinitions: policy.properties.policyDefinitions + policyDefinitionGroups: policy.properties.policyDefinitionGroups + } +}] + +// output policyDefinitionNames array = [for policy in policyDefinitions: policy.name] +output policySetDefinitionNames array = [for policy in policySetDefinitions: policy.name] diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index d162e6451a..0ec8d09707 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -36,33 +36,6 @@ var targetDeploymentLocationByCloudType = { var deploymentLocation = '"location": "${targetDeploymentLocationByCloudType[cloudEnv]}"' -// Unable to do the following commented out approach due to the error "The value must be a compile-time constant.bicep(BCP032)" -// See: https://github.com/Azure/bicep/issues/3816#issuecomment-1191230215 - -// The following vars are used to load the list of Policy Definitions to import -// var listPolicyDefinitionsAll = loadJsonContent('../data/policyDefinitions.All.json') -// var listPolicyDefinitionsAzureCloud = loadJsonContent('../data/policyDefinitions.AzureCloud.json') -// var listPolicyDefinitionsAzureChinaCloud = loadJsonContent('../data/policyDefinitions.AzureChinaCloud.json') -// var listPolicyDefinitionsAzureUSGovernment = loadJsonContent('../data/policyDefinitions.AzureUSGovernment.json') - -// The following vars are used to load the list of Policy Set Definitions to import -// var listPolicySetDefinitionsAll = loadJsonContent('../data/policySetDefinitions.All.json') -// var listPolicySetDefinitionsAzureCloud = loadJsonContent('../data/policySetDefinitions.AzureCloud.json') -// var listPolicySetDefinitionsAzureChinaCloud = loadJsonContent('../data/policySetDefinitions.AzureChinaCloud.json') -// var listPolicySetDefinitionsAzureUSGovernment = loadJsonContent('../data/policySetDefinitions.AzureUSGovernment.json') - -// The following vars are used to load the list of Policy Definitions to import -// var loadPolicyDefinitionsAll = [for item in listPolicyDefinitionsAll: loadTextContent(item)] -// var loadPolicyDefinitionsAzureCloud = [for item in listPolicyDefinitionsAzureCloud: loadTextContent(item)] -// var loadPolicyDefinitionsAzureChinaCloud = [for item in listPolicyDefinitionsAzureChinaCloud: loadTextContent(item)] -// var loadPolicyDefinitionsAzureUSGovernment = [for item in listPolicyDefinitionsAzureUSGovernment: loadTextContent(item)] - -// The following vars are used to load the list of Policy Set Definitions to import -// var loadPolicySetDefinitionsAll = [for item in listPolicySetDefinitionsAll: loadTextContent(item)] -// var loadPolicySetDefinitionsAzureCloud = [for item in listPolicySetDefinitionsAzureCloud: loadTextContent(item)] -// var loadPolicySetDefinitionsAzureChinaCloud = [for item in listPolicySetDefinitionsAzureChinaCloud: loadTextContent(item)] -// var loadPolicySetDefinitionsAzureUSGovernment = [for item in listPolicySetDefinitionsAzureUSGovernment: loadTextContent(item)] - // The following var contains lists of files containing Policy Definition resources to load, grouped by compatibility with Cloud. // To get a full list of Azure clouds, use the az cli command "az cloud list --output table" // We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates. @@ -73,6 +46,10 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http.json') @@ -83,15 +60,24 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Redis-http.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Penp.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-UDR-With-Specific-NextHop.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peering-To-Non-Approved-VNETs.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-StorageAccount-CustomDomain.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureKerberos.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbChannel.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbVersions.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureAuth.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json') // Only difference is hard-coded template deployment location (handled by this template) loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table.json') // Equivalent to "Deploy-Default-Udr" in AzureChinaCloud and AzureUSGovernment but with differences loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection.json') // Only difference is hard-coded template deployment location (handled by this template) @@ -156,10 +142,48 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke.json') // Only difference is hard-coded template deployment location (handled by this template) + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-Resource-Kinds.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json') // FSI specific policy + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json') ] AzureCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment @@ -196,37 +220,6 @@ var loadPolicyDefinitions = { ] } -// The following var contains lists of files containing Policy Set Definition (Initiative) resources to load, grouped by compatibility with Cloud. -// To get a full list of Azure clouds, use the az cli command "az cloud list --output table" -// We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates. -var loadPolicySetDefinitions = { - All: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json') - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') - ] - AzureCloud: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning - ] - AzureChinaCloud: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 74c30959-af11-47b3-9ed2-a26e03f427a3, 1f725891-01c0-420a-9059-4fa46cb770b7, 2370a3c1-4a25-4283-a91a-c9c1a145fb2f, b7021b2b-08fd-4dc0-9de7-3c6ece09faf9, b99b73e7-074b-4089-9395-b7236f094491) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureChinaCloud.json') // Due to missing built-in Policy Definitions () - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json') // Due to missing built-in Policy Definitions (051cba44-2429-45b9-9649-46cec11c7119), and replacement custom Policy Definitions ("Deploy-MySQLCMKEffect", "Deploy-PostgreSQLCMKEffect") - ] - AzureUSGovernment: [ - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (5e1de0e3-42cb-4ebc-a86d-61d0c619ca48, c9299215-ae47-4f50-9c54-8a392f68a052) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json') // Due to missing "Deploy-Diagnostics-AVDScalingPlans" custom Policy Definition - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (44433aa3-7ec2-4002-93ea-65c65ff0310a, 50ea7265-7d8c-429e-9a7d-ca1f410191c3, b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d, 1f725891-01c0-420a-9059-4fa46cb770b7) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (0b026355-49cb-467b-8ac4-f777874e175a) - loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json') // Due to missing built-in Policy Definitions (83cef61d-dbd1-4b20-a4fc-5fbc7da10833, 18adea5e-f416-4d0f-8aa8-d24321e3e274, 051cba44-2429-45b9-9649-46cec11c7119) - ] -} - // The following vars are used to manipulate the imported Policy Definitions to replace deployment location values // Needs a double replace to handle updates in both templates for All clouds, and localized templates var processPolicyDefinitionsAll = [for content in loadPolicyDefinitions.All: replace(replace(content, templateVars.defaultDeploymentLocation, deploymentLocation), templateVars.localizedDeploymentLocation, deploymentLocation)] @@ -234,11 +227,6 @@ var processPolicyDefinitionsAzureCloud = [for content in loadPolicyDefinitions.A var processPolicyDefinitionsAzureChinaCloud = [for content in loadPolicyDefinitions.AzureChinaCloud: replace(replace(content, templateVars.defaultDeploymentLocation, deploymentLocation), templateVars.localizedDeploymentLocation, deploymentLocation)] var processPolicyDefinitionsAzureUSGovernment = [for content in loadPolicyDefinitions.AzureUSGovernment: replace(replace(content, templateVars.defaultDeploymentLocation, deploymentLocation), templateVars.localizedDeploymentLocation, deploymentLocation)] -// The following vars are used to manipulate the imported Policy Set Definitions to replace Policy Definition scope values -var processPolicySetDefinitionsAll = [for content in loadPolicySetDefinitions.All: replace(content, templateVars.scope, scope)] -var processPolicySetDefinitionsAzureCloud = [for content in loadPolicySetDefinitions.AzureCloud: replace(content, templateVars.scope, scope)] -var processPolicySetDefinitionsAzureChinaCloud = [for content in loadPolicySetDefinitions.AzureChinaCloud: replace(content, templateVars.scope, scope)] -var processPolicySetDefinitionsAzureUSGovernment = [for content in loadPolicySetDefinitions.AzureUSGovernment: replace(content, templateVars.scope, scope)] // The following vars are used to convert the imported Policy Definitions into objects from JSON var policyDefinitionsAll = [for content in processPolicyDefinitionsAll: json(content)] @@ -246,11 +234,6 @@ var policyDefinitionsAzureCloud = [for content in processPolicyDefinitionsAzureC var policyDefinitionsAzureChinaCloud = [for content in processPolicyDefinitionsAzureChinaCloud: json(content)] var policyDefinitionsAzureUSGovernment = [for content in processPolicyDefinitionsAzureUSGovernment: json(content)] -// The following vars are used to convert the imported Policy Set Definitions into objects from JSON -var policySetDefinitionsAll = [for content in processPolicySetDefinitionsAll: json(content)] -var policySetDefinitionsAzureCloud = [for content in processPolicySetDefinitionsAzureCloud: json(content)] -var policySetDefinitionsAzureChinaCloud = [for content in processPolicySetDefinitionsAzureChinaCloud: json(content)] -var policySetDefinitionsAzureUSGovernment = [for content in processPolicySetDefinitionsAzureUSGovernment: json(content)] // The following var is used to compile the required Policy Definitions into a single object var policyDefinitionsByCloudType = { @@ -260,22 +243,10 @@ var policyDefinitionsByCloudType = { AzureUSGovernment: policyDefinitionsAzureUSGovernment } -// The following var is used to compile the required Policy Definitions into a single object -var policySetDefinitionsByCloudType = { - All: policySetDefinitionsAll - AzureCloud: policySetDefinitionsAzureCloud - AzureChinaCloud: policySetDefinitionsAzureChinaCloud - AzureUSGovernment: policySetDefinitionsAzureUSGovernment -} - // The following var is used to extract the Policy Definitions into a single list for deployment // This will contain all policy definitions classified as available for All cloud environments, and those for the current cloud environment var policyDefinitions = concat(policyDefinitionsByCloudType.All, policyDefinitionsByCloudType[cloudEnv]) -// The following var is used to extract the Policy Set Definitions into a single list for deployment -// This will contain all policy set definitions classified as available for All cloud environments, and those for the current cloud environment -var policySetDefinitions = concat(policySetDefinitionsByCloudType.All, policySetDefinitionsByCloudType[cloudEnv]) - // Create the Policy Definitions as needed for the target cloud environment resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01' = [for policy in policyDefinitions: { name: policy.name @@ -290,23 +261,4 @@ resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01 } }] -// Create the Policy Definitions as needed for the target cloud environment -// Depends on Policy Definitons to ensure they exist before creating dependent Policy Set Definitions (Initiatives) -resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = [for policy in policySetDefinitions: { - dependsOn: [ - PolicyDefinitions - ] - name: policy.name - properties: { - description: policy.properties.description - displayName: policy.properties.displayName - metadata: policy.properties.metadata - parameters: policy.properties.parameters - policyType: policy.properties.policyType - policyDefinitions: policy.properties.policyDefinitions - policyDefinitionGroups: policy.properties.policyDefinitionGroups - } -}] - output policyDefinitionNames array = [for policy in policyDefinitions: policy.name] -output policySetDefinitionNames array = [for policy in policySetDefinitions: policy.name] diff --git a/tests/policy/Deny-AA-child-resources.Tests.ps1.TODO b/tests/policy/Deny-AA-child-resources.Tests.ps1.TODO new file mode 100644 index 0000000000..b5dd2aa521 --- /dev/null +++ b/tests/policy/Deny-AA-child-resources.Tests.ps1.TODO @@ -0,0 +1,354 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Automation +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +####################################################################################################################### +## +## TODO: This test needs a lot of work, and I suspect the policy doesn't work as intended. +## This is not assigned by default. +## +####################################################################################################################### + +Describe "Testing policy 'Deny-AA-child-resources'" -Tag "deny-automation-children" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-AA-child-resources' } + New-AzPolicyAssignment -Name "TDeny-AA-child" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test adding child resources on Automation Account when created or updated" -Tag "deny-automation-children" { + + # TEST TEST TEST + It "Should allow compliant Automation Account" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + $aa = New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name "ContosoAA001" ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + } | Should -Not -Throw + } + } + + It "Should deny non-compliant Automation Account - Runbook" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + $aa = New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + New-AzAutomationRunbook ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -AutomationAccountName $aa.AutomationAccountName ` + -Name "ContosoRunbook001" ` + -Type "PowerShell" + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Runbook - via API" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + # Should be disallowed by policy, so exception should be thrown. + { + $sku = @{ + name = "Free" + } + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + $object = @{ + name = $name + properties = @{ + sku = $sku + publicNetworkAccess = $false + } + location = "uksouth" + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Automation" ` + -ResourceType "automationAccounts" ` + -Name $name ` + -ApiVersion "2021-06-22" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # Automation Account created + } + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + $object = @{ + name = "ContosoRunbook001" + properties = @{ + runbookType = $false + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Automation" ` + -ResourceType @('automationAccounts','runbooks') ` + -Name @($name,'ContosoRunbook001') ` + -ApiVersion "2019-06-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # Automation Account - Runbook created + } + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Variable" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + New-AzAutomationVariable ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -AutomationAccountName $name ` + -Name "ContosoVariable001" ` + -Value "somestring" ` + -Encrypted $False + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Variable - via API" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + # Should be disallowed by policy, so exception should be thrown. + { + $sku = @{ + name = "Free" + } + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + $object = @{ + name = $name + properties = @{ + sku = $sku + publicNetworkAccess = $false + } + location = "uksouth" + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Automation" ` + -ResourceType "automationAccounts" ` + -Name $name ` + -ApiVersion "2021-06-22" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # Automation Account created + } + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + $object = @{ + name = "ContosoVariable002" + properties = @{ + value = "some long string" + isEncrypted = $false + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Automation" ` + -ResourceType @('automationAccounts','variables') ` + -Name @($name,'ContosoVariable002') ` + -ApiVersion "2019-06-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # Automation Account - Runbook created + } + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Modules" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + New-AzAutomationModule ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -AutomationAccountName $name ` + -ContentLinkUri "" ` + -Name "ContosoModule001" + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Credential" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + $User = "Contoso\LongLiveLilith" + $Password = ConvertTo-SecureString "$random" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $Password + + New-AzAutomationCredential ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -AutomationAccountName $name ` + -Name "ContosoCredential001" ` + -Value $Credential + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Connections" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + New-AzAutomationConnection ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -AutomationAccountName $name ` + -Name "ContosoConnection001" ` + -ConnectionTypeName "Azure" ` + -ConnectionFieldValues @{"ApplicationId"="";"TenantId"="";"CertificateThumbprint"="";"SubscriptionId"=""} ` + -Description "AzureConnection" + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Automation Account - Certificate" -Tag "deny-noncompliant-automation" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 15 + $name = "ALZTest$Random" + + { + New-AzAutomationAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -DisablePublicNetworkAccess + + $Password = ConvertTo-SecureString "$random" -AsPlainText -Force + + New-AzAutomationCertificate ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -AutomationAccountName $name ` + -Name "ContosoCertificate001" ` + -Path "./cert.pfx" ` + -Password $Password ` + -Description "AzureConnection" + + } | Should -Throw "*disallowed by policy*" + } + } + } + +} \ No newline at end of file diff --git a/tests/policy/Deny-AppGW-Without-WAF.Tests.ps1 b/tests/policy/Deny-AppGW-Without-WAF.Tests.ps1 new file mode 100644 index 0000000000..0d1126264b --- /dev/null +++ b/tests/policy/Deny-AppGW-Without-WAF.Tests.ps1 @@ -0,0 +1,131 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-AppGW-Without-WAF'" -Tag "deny-appgw-waf" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-AppGW-Without-WAF' } + New-AzPolicyAssignment -Name "TDeny-AppGw-WAF" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test WAF enabled on Application Gateway when created" -Tag "deny-appgw-waf" { + + It "Should deny non-compliant Application Gateway without WAF enabled" -Tag "deny-appgw-waf" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Setting up all the requirements for an Application Gateway with WAF enabled + $rule1 = New-AzNetworkSecurityRuleConfig -Name waf-rule -Description "Allow WAF Ports" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange '65200-65535' + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -SecurityRules $rule1 + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG + $VNet = New-AzVirtualNetwork -Name "VNet01" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + $VNet = Get-AzVirtualNetwork -Name "VNet01" -ResourceGroupName $ResourceGroup.ResourceGroupName + $Subnet = Get-AzVirtualNetworkSubnetConfig -Name "Subnet01" -VirtualNetwork $VNet + $GatewayIPconfig = New-AzApplicationGatewayIPConfiguration -Name "GatewayIp01" -Subnet $Subnet + $Pool = New-AzApplicationGatewayBackendAddressPool -Name "Pool01" -BackendIPAddresses 10.10.10.1, 10.10.10.2, 10.10.10.3 + $PoolSetting = New-AzApplicationGatewayBackendHttpSetting -Name "PoolSetting01" -Port 80 -Protocol "Http" -CookieBasedAffinity "Disabled" + $FrontEndPort = New-AzApplicationGatewayFrontendPort -Name "FrontEndPort01" -Port 80 + $PublicIp = New-AzPublicIpAddress -ResourceGroupName $ResourceGroup.ResourceGroupName -Name "PublicIpName01" -Location "uksouth" -AllocationMethod "Static" -Sku Standard + $FrontEndIpConfig = New-AzApplicationGatewayFrontendIPConfig -Name "FrontEndConfig01" -PublicIPAddress $PublicIp + $Listener = New-AzApplicationGatewayHttpListener -Name "ListenerName01" -Protocol "Http" -FrontendIpConfiguration $FrontEndIpConfig -FrontendPort $FrontEndPort + $Rule = New-AzApplicationGatewayRequestRoutingRule -Name "Rule01" -RuleType basic -BackendHttpSettings $PoolSetting -HttpListener $Listener -BackendAddressPool $Pool -Priority 101 + $Sku = New-AzApplicationGatewaySku -Name Standard_v2 -Tier Standard_v2 -Capacity 1 + $wafconfig = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Detection" -RuleSetType "OWASP" -RuleSetVersion "3.0" -RequestBodyCheck $true -MaxRequestBodySizeInKb 128 -FileUploadLimitInMb 2 + + # Deploying the compliant Application Gateway with WAF enabled + { + New-AzApplicationGateway ` + -Name $name ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location "uksouth" ` + -BackendAddressPools $Pool ` + -BackendHttpSettingsCollection $PoolSetting ` + -FrontendIpConfigurations $FrontEndIpConfig ` + -GatewayIpConfigurations $GatewayIpConfig ` + -FrontendPorts $FrontEndPort ` + -HttpListeners $Listener ` + -RequestRoutingRules $Rule ` + -Sku $Sku ` + -WebApplicationFirewallConfig $wafconfig + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Application Gateway with WAF enabled" -Tag "allow-appgw-waf" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Setting up all the requirements for an Application Gateway with WAF enabled + $rule1 = New-AzNetworkSecurityRuleConfig -Name waf-rule -Description "Allow WAF Ports" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange '65200-65535' + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -SecurityRules $rule1 + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG + $VNet = New-AzVirtualNetwork -Name "VNet01" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + $VNet = Get-AzVirtualNetwork -Name "VNet01" -ResourceGroupName $ResourceGroup.ResourceGroupName + $Subnet = Get-AzVirtualNetworkSubnetConfig -Name "Subnet01" -VirtualNetwork $VNet + $GatewayIPconfig = New-AzApplicationGatewayIPConfiguration -Name "GatewayIp01" -Subnet $Subnet + $Pool = New-AzApplicationGatewayBackendAddressPool -Name "Pool01" -BackendIPAddresses 10.10.10.1, 10.10.10.2, 10.10.10.3 + $PoolSetting = New-AzApplicationGatewayBackendHttpSetting -Name "PoolSetting01" -Port 80 -Protocol "Http" -CookieBasedAffinity "Disabled" + $FrontEndPort = New-AzApplicationGatewayFrontendPort -Name "FrontEndPort01" -Port 80 + $PublicIp = New-AzPublicIpAddress -ResourceGroupName $ResourceGroup.ResourceGroupName -Name "PublicIpName01" -Location "uksouth" -AllocationMethod "Static" -Sku Standard + $FrontEndIpConfig = New-AzApplicationGatewayFrontendIPConfig -Name "FrontEndConfig01" -PublicIPAddress $PublicIp + $Listener = New-AzApplicationGatewayHttpListener -Name "ListenerName01" -Protocol "Http" -FrontendIpConfiguration $FrontEndIpConfig -FrontendPort $FrontEndPort + $Rule = New-AzApplicationGatewayRequestRoutingRule -Name "Rule01" -RuleType basic -BackendHttpSettings $PoolSetting -HttpListener $Listener -BackendAddressPool $Pool -Priority 101 + $Sku = New-AzApplicationGatewaySku -Name "WAF_v2" -Tier WAF_v2 -Capacity 1 + $wafconfig = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Detection" -RuleSetType "OWASP" -RuleSetVersion "3.0" -RequestBodyCheck $true -MaxRequestBodySizeInKb 128 -FileUploadLimitInMb 2 + + # Deploying the compliant Application Gateway with WAF enabled + { + New-AzApplicationGateway ` + -Name $name ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location "uksouth" ` + -BackendAddressPools $Pool ` + -BackendHttpSettingsCollection $PoolSetting ` + -FrontendIpConfigurations $FrontEndIpConfig ` + -GatewayIpConfigurations $GatewayIpConfig ` + -FrontendPorts $FrontEndPort ` + -HttpListeners $Listener ` + -RequestRoutingRules $Rule ` + -Sku $Sku ` + -WebApplicationFirewallConfig $wafconfig + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-AppGw-WAF" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-AppServiceApiApp-http.Tests.ps1 b/tests/policy/Deny-AppServiceApiApp-http.Tests.ps1 new file mode 100644 index 0000000000..c054dd5a37 --- /dev/null +++ b/tests/policy/Deny-AppServiceApiApp-http.Tests.ps1 @@ -0,0 +1,82 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Websites +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-AppServiceApiApp-http'" -Tag "deny-appservice-api-http" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-AppServiceApiApp-http' } + New-AzPolicyAssignment -Name "TDeny-ASAPI-http" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + # Create or update App Service is actually the same PUT request, hence testing create covers update as well. + Context "Test HTTPS enabled on App Service - API when created or updated" -Tag "deny-appservice-api-http" { + + It "Should deny non-compliant App Services - API" -Tag "deny-noncompliant-appservice" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $object = @{ + kind = "api" + properties = @{ + httpsOnly = false + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Web" ` + -ResourceType "sites" ` + -Name "testAppServiceAPI" ` + -ApiVersion "2022-03-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # App Service - API created + } + elseif ($httpResponse.StatusCode -eq 202) { + Write-Information "==> Async deployment started" + } throw "Operation error: '$($httpResponse.Content)'" + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-ASAPI-http" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-AppServiceFunctionApp-http.Tests.ps1 b/tests/policy/Deny-AppServiceFunctionApp-http.Tests.ps1 new file mode 100644 index 0000000000..a090d1a7c9 --- /dev/null +++ b/tests/policy/Deny-AppServiceFunctionApp-http.Tests.ps1 @@ -0,0 +1,120 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Websites +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-AppServiceFunctionApp-http'" -Tag "deny-appservice-function-http" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-AppServiceFunctionApp-http' } + New-AzPolicyAssignment -Name "TDeny-ASFunc-http" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + # Create or update App Service is actually the same PUT request, hence testing create covers update as well. + Context "Test HTTPS enabled on App Service - Function when created or updated" -Tag "deny-appservice-function-http" { + + It "Should deny non-compliant App Services - Function - Windows" -Tag "deny-noncompliant-appservice" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $object = @{ + kind = "functionapp" + properties = @{ + httpsOnly = false + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Web" ` + -ResourceType "sites" ` + -Name "testAppServicefunc01" ` + -ApiVersion "2022-03-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # App Service - API created + } + elseif ($httpResponse.StatusCode -eq 202) { + Write-Information "==> Async deployment started" + } throw "Operation error: '$($httpResponse.Content)'" + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant App Services - Function - Linux" -Tag "deny-noncompliant-appservice" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $object = @{ + kind = "functionapp,linux" + properties = @{ + httpsOnly = false + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Web" ` + -ResourceType "sites" ` + -Name "testAppServicefunc02" ` + -ApiVersion "2022-03-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # App Service - API created + } + elseif ($httpResponse.StatusCode -eq 202) { + Write-Information "==> Async deployment started" + } throw "Operation error: '$($httpResponse.Content)'" + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-ASFunc-http" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-AppServiceWebApp-http.Tests.ps1 b/tests/policy/Deny-AppServiceWebApp-http.Tests.ps1 new file mode 100644 index 0000000000..8fbb2dc0b4 --- /dev/null +++ b/tests/policy/Deny-AppServiceWebApp-http.Tests.ps1 @@ -0,0 +1,120 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Websites +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-AppServiceWebApp-http'" -Tag "deny-appservice-webapp-http" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-AppServiceWebApp-http' } + New-AzPolicyAssignment -Name "TDeny-ASWeb-http" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + # Create or update App Service NSG is actually the same PUT request, hence testing create covers update as well. + Context "Test HTTPS enabled on App Service - Web App when created or updated" -Tag "deny-appservice-webapp-http" { + + It "Should deny non-compliant App Services - Web App - Windows" -Tag "deny-noncompliant-appservice" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $object = @{ + kind = "app" + properties = @{ + httpsOnly = false + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Web" ` + -ResourceType "sites" ` + -Name "testAppServicefunc01" ` + -ApiVersion "2022-03-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # App Service - API created + } + elseif ($httpResponse.StatusCode -eq 202) { + Write-Information "==> Async deployment started" + } throw "Operation error: '$($httpResponse.Content)'" + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant App Services - Web App - Linux" -Tag "deny-noncompliant-appservice" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $object = @{ + kind = "app,linux" + properties = @{ + httpsOnly = false + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Web" ` + -ResourceType "sites" ` + -Name "testAppServicefunc02" ` + -ApiVersion "2022-03-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # App Service - API created + } + elseif ($httpResponse.StatusCode -eq 202) { + Write-Information "==> Async deployment started" + } throw "Operation error: '$($httpResponse.Content)'" + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-ASWeb-http" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-FileServices-InsecureAuth.Tests.ps1 b/tests/policy/Deny-FileServices-InsecureAuth.Tests.ps1 new file mode 100644 index 0000000000..252cff160c --- /dev/null +++ b/tests/policy/Deny-FileServices-InsecureAuth.Tests.ps1 @@ -0,0 +1,165 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-FileServices-InsecureAuth'" -Tag "deny-files-auth" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-FileServices-InsecureAuth' } + New-AzPolicyAssignment -Name "TDeny-Files-auth" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test insercure authentication enabled on Storage Account - File Services when created" -Tag "deny-files-auth" { + + It "Should deny non-compliant Storage Account - File Services - Insecure Auth" -Tag "deny-noncompliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "NTLMv2" # Not valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB3.1.1" #Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - File Services - Insecure Auth" -Tag "allow-compliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB3.1.1" # Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Files-auth" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-FileServices-InsecureKerberos.Tests.ps1 b/tests/policy/Deny-FileServices-InsecureKerberos.Tests.ps1 new file mode 100644 index 0000000000..bef1bf159f --- /dev/null +++ b/tests/policy/Deny-FileServices-InsecureKerberos.Tests.ps1 @@ -0,0 +1,165 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-FileServices-InsecureKerberos'" -Tag "deny-files-kerb" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-FileServices-InsecureKerberos' } + New-AzPolicyAssignment -Name "TDeny-Files-kerb" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test insercure Kerberos ticket encryption enabled on Storage Account - File Services when created" -Tag "deny-files-kerb" { + + It "Should deny non-compliant Storage Account - File Services - Insecure Kerberos" -Tag "deny-noncompliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "RC4-HMAC" # Invalid + versions = "SMB3.1.1" #Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - File Services - Insecure Kerberos" -Tag "allow-compliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB3.1.1" # Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Files-kerb" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-FileServices-InsecureSmbChannel.Tests.ps1 b/tests/policy/Deny-FileServices-InsecureSmbChannel.Tests.ps1 new file mode 100644 index 0000000000..ed766d2cf9 --- /dev/null +++ b/tests/policy/Deny-FileServices-InsecureSmbChannel.Tests.ps1 @@ -0,0 +1,165 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-FileServices-InsecureSmbChannel'" -Tag "deny-files-channel" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-FileServices-InsecureSmbChannel' } + New-AzPolicyAssignment -Name "TDeny-Files-channel" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test insercure channel encryption enabled on Storage Account - File Services when created" -Tag "deny-files-channel" { + + It "Should deny non-compliant Storage Account - File Services - Insecure Channel Encryption" -Tag "deny-noncompliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-128-CCM" # Invalid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB3.1.1" #Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - File Services - Insecure Channel Encryption" -Tag "allow-compliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB3.1.1" # Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Files-channel" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-FileServices-InsecureSmbVersions.Tests.ps1 b/tests/policy/Deny-FileServices-InsecureSmbVersions.Tests.ps1 new file mode 100644 index 0000000000..ce9a6bbb00 --- /dev/null +++ b/tests/policy/Deny-FileServices-InsecureSmbVersions.Tests.ps1 @@ -0,0 +1,165 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-FileServices-InsecureSmbVersions'" -Tag "deny-files-channel" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-FileServices-InsecureSmbVersions' } + New-AzPolicyAssignment -Name "TDeny-Files-smbver" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test insercure SMB version enabled on Storage Account - File Services when created" -Tag "deny-files-smbver" { + + It "Should deny non-compliant Storage Account - File Services - Insecure SMB version" -Tag "deny-noncompliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB2.1" # Invalid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - File Services - Insecure SMB version" -Tag "allow-compliant-files" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + { + # "versions": "SMB2.1;SMB3.0;SMB3.1.1", + # "authenticationMethods": "NTLMv2;Kerberos", + # "kerberosTicketEncryption": "RC4-HMAC;AES-256", + # "channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM" + + $protocolSettings = @{ + smb = @{ + authenticationMethods = "Kerberos" # Valid + channelEncryption = "AES-256-GCM" # Valid + kerberosTicketEncryption = "AES-256" # Valid + versions = "SMB3.1.1" # Valid + } + } + + $object = @{ + properties = @{ + protocolSettings = $protocolSettings + } + } + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType @('storageAccounts','fileServices') ` + -Name @($name, 'default') ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Files-smbver" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-MgmtPorts-From-Internet.Tests.ps1 b/tests/policy/Deny-MgmtPorts-From-Internet.Tests.ps1 new file mode 100644 index 0000000000..25f3003860 --- /dev/null +++ b/tests/policy/Deny-MgmtPorts-From-Internet.Tests.ps1 @@ -0,0 +1,327 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-from-internet" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-MgmtPorts-From-Internet' } + New-AzPolicyAssignment -Name "TDeny-MgmtPorts-Internet" -Scope $mangementGroupScope -PolicyDefinition $definition -PolicyParameterObject @{ + "ports" = @("3389", "22") + } + + } + + # Create or update NSG is actually the same PUT request, hence testing create covers update as well. + Context "Test open ports NSG is created or updated" -Tag "deny-mgmtports-from-internet-nsg-port" { + + It "Should deny non-compliant port '3389'" -Tag "deny-noncompliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $networkSecurityGroup = New-AzNetworkSecurityGroup ` + -Name "nsg-test" ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location $ResourceGroup.Location + + # Should be disallowed by policy, so exception should be thrown. + { + $networkSecurityGroup | Add-AzNetworkSecurityRuleConfig ` + -Name RDP-rule ` + -Description "Allow RDP" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 200 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 3389 # Incompliant. + | Set-AzNetworkSecurityGroup + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant port '3389' inline" -Tag "deny-noncompliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzNetworkSecurityGroup ` + -Name "nsg-test" ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location $ResourceGroup.Location | Add-AzNetworkSecurityRuleConfig ` + -Name RDP-rule ` + -Description "Allow RDP" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 200 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 3389 # Incompliant. + | Set-AzNetworkSecurityGroup + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant port range (21-23)" -Tag "deny-noncompliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $networkSecurityGroup = New-AzNetworkSecurityGroup ` + -Name "nsg-test" ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location $ResourceGroup.Location + + # Should be disallowed by policy, so exception should be thrown. + { + $networkSecurityGroup | Add-AzNetworkSecurityRuleConfig ` + -Name SSH-rulePlus ` + -Description "Allow Mgmt" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 200 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange "21-23" # Incompliant. + | Set-AzNetworkSecurityGroup + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant ports (443)" -Tag "allow-compliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $networkSecurityGroup = New-AzNetworkSecurityGroup ` + -Name "nsg-test" ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location $ResourceGroup.Location + + # Should be disallowed by policy, so exception should be thrown. + { + $networkSecurityGroup | Add-AzNetworkSecurityRuleConfig ` + -Name web-rule ` + -Description "Allow Web" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 200 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 443 # Compliant. + | Set-AzNetworkSecurityGroup + } | Should -Not -Throw + } + } + + It "Should deny non-compliant port range (multi-rule)" -Tag "deny-noncompliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $networkSecurityGroup = New-AzNetworkSecurityGroup ` + -Name "nsg-test2" ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Location $ResourceGroup.Location + + # Should be disallowed by policy, so exception should be thrown. + { + $networkSecurityGroup | Add-AzNetworkSecurityRuleConfig ` + -Name Web-rule ` + -Description "Allow Web" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 300 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 443 + | Add-AzNetworkSecurityRuleConfig ` + -Name SSH-rule ` + -Description "Allow Mgmt" ` + -Access Allow ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 310 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange "21-23" # Incompliant. + | Set-AzNetworkSecurityGroup + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant port ranges* - API" -Tag "deny-noncompliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + #Destination port ranges to test + $portRanges = @("23","3388-3390","8080") + + $securityRules = @( + @{ + name = "Web-rule" + properties = @{ + description = "Allow Web" + protocol = "Tcp" + sourcePortRange = "*" + destinationPortRange = "443" + sourceAddressPrefix = "*" + destinationAddressPrefix = "*" + access = "Allow" + priority = 300 + direction = "Inbound" + } + }, + @{ + name = "Multi-rule" + properties = @{ + description = "Allow Mgmt" + protocol = "Tcp" + sourcePortRange = "*" + destinationPortRanges = $portRanges + sourceAddressPrefix = "*" + destinationAddressPrefix = "*" + access = "Allow" + priority = 310 + direction = "Inbound" + } + } + ) + + $object = @{ + properties = @{ + securityRules = $securityRules + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Network" ` + -ResourceType "networkSecurityGroups" ` + -Name "testNSG98" ` + -ApiVersion "2022-11-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # NSG created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant port ranges* - API" -Tag "allow-compliant-nsg-port" { + AzTest -ResourceGroup { + param($ResourceGroup) + + #Destination port ranges to test + $portRanges = @("23","3390-3392","8080") + + # Create Payload for NSG + $securityRules = @( + @{ + name = "Web-rule" + properties = @{ + description = "Allow Web2" + protocol = "Tcp" + sourcePortRange = "*" + destinationPortRange = "443" + sourceAddressPrefix = "*" + destinationAddressPrefix = "*" + access = "Allow" + priority = 300 + direction = "Inbound" + } + }, + @{ + name = "Multi-rule" + properties = @{ + description = "Allow Mgmt3" + protocol = "Tcp" + sourcePortRange = "*" + destinationPortRanges = $portRanges + sourceAddressPrefix = "*" + destinationAddressPrefix = "*" + access = "Allow" + priority = 310 + direction = "Inbound" + } + } + ) + + $object = @{ + properties = @{ + securityRules = $securityRules + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Network" ` + -ResourceType "networkSecurityGroups" ` + -Name "testNSG99" ` + -ApiVersion "2022-11-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # NSG created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-MgmtPorts-Internet" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-MySql-http.Tests.ps1 b/tests/policy/Deny-MySql-http.Tests.ps1 new file mode 100644 index 0000000000..0818658786 --- /dev/null +++ b/tests/policy/Deny-MySql-http.Tests.ps1 @@ -0,0 +1,94 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.MySql +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-MySql-http'" -Tag "deny-mysql-http" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-MySql-http' } + New-AzPolicyAssignment -Name "TDeny-MySql-http" -Scope $mangementGroupScope -PolicyDefinition $definition + + # Register the resource provider for MySQL + $rp = Get-AzResourceProvider -ListAvailable | + Where-Object -Property ProviderNamespace -Like -Value "Microsoft.DBforMySQL" + + if ($rp.RegistrationState -eq "NotRegistered"){ + Register-AzResourceProvider -ProviderNamespace Microsoft.DBforMySQL + } + + } + + Context "Test SSL on MySQL database servers when created or updated" -Tag "deny-mysql-http" { + + It "Should deny non-compliant SSL on MySQL database servers - SSL Disabled" -Tag "deny-mysql-http" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $password = GeneratePasswordString -Length 20 | ConvertTo-Securestring -AsPlainText -Force + $name = "mysql-$random" + + { + New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Disabled' -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2 + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant SSL on MySQL database servers - TLS Version" -Tag "deny-mysql-http" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $password = GeneratePasswordString -Length 20 | ConvertTo-Securestring -AsPlainText -Force + $name = "mysql-$random" + + { + New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_0' -Sku GP_Gen5_2 + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant SSL on MySQL database servers" -Tag "allow-mysql-http" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $password = GeneratePasswordString -Length 20 | ConvertTo-Securestring -AsPlainText -Force + $name = "mysql-$random" + + { + New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2 + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-MySql-http" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-PostgreSql-http.Tests.ps1 b/tests/policy/Deny-PostgreSql-http.Tests.ps1 new file mode 100644 index 0000000000..ca1dfc1da7 --- /dev/null +++ b/tests/policy/Deny-PostgreSql-http.Tests.ps1 @@ -0,0 +1,94 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.PostgreSql +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-PostgreSql-http'" -Tag "deny-pgsql-http" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-PostgreSql-http' } + New-AzPolicyAssignment -Name "TDeny-PgSql-http" -Scope $mangementGroupScope -PolicyDefinition $definition + + # Register the resource provider for PostgreSQL + $rp = Get-AzResourceProvider -ListAvailable | + Where-Object -Property ProviderNamespace -Like -Value "Microsoft.DBforPostgreSQL" + + if ($rp.RegistrationState -eq "NotRegistered"){ + Register-AzResourceProvider -ProviderNamespace Microsoft.DBforPostgreSQL + } + + } + + Context "Test SSL on PostgreSQL database servers when created or updated" -Tag "deny-pgsql-http" { + + It "Should deny non-compliant SSL on PostgreSQL database servers - SSL Disabled" -Tag "deny-pgsql-http" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $password = GeneratePasswordString -Length 20 | ConvertTo-Securestring -AsPlainText -Force + $name = "mysql-$Random" + + { + New-AzPostgreSqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement Disabled -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2 + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant SSL on PostgreSQL database servers - TLS Version" -Tag "deny-pgsql-http" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $password = GeneratePasswordString -Length 20 | ConvertTo-Securestring -AsPlainText -Force + $name = "mysql-$Random" + + { + New-AzPostgreSqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_1' -Sku GP_Gen5_2 + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant SSL on PostgreSQL database servers" -Tag "allow-pgsql-http" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $password = GeneratePasswordString -Length 20 | ConvertTo-Securestring -AsPlainText -Force + $name = "mysql-$Random" + + { + New-AzPostgreSqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2 + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-PgSql-http" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-Private-DNS-Zones.Tests.ps1 b/tests/policy/Deny-Private-DNS-Zones.Tests.ps1 new file mode 100644 index 0000000000..3ec20f9dae --- /dev/null +++ b/tests/policy/Deny-Private-DNS-Zones.Tests.ps1 @@ -0,0 +1,52 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-Private-DNS-Zones'" -Tag "deny-pvt-dns" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Private-DNS-Zones' } + New-AzPolicyAssignment -Name "TDeny-pvt-dns" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test Private DNS when created" -Tag "deny-pvt-dns" { + + It "Should deny non-compliant Private DNS" -Tag "deny-pvt-dns" { + AzTest -ResourceGroup { + param($ResourceGroup) + + { + New-AzPrivateDnsZone -Name "alztest.com" -ResourceGroupName $ResourceGroup.ResourceGroupName + + } | Should -Throw "*disallowed by policy*" + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-pvt-dns" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-Redis-http.Tests.ps1.TODO b/tests/policy/Deny-Redis-http.Tests.ps1.TODO new file mode 100644 index 0000000000..2ef7c3b716 --- /dev/null +++ b/tests/policy/Deny-Redis-http.Tests.ps1.TODO @@ -0,0 +1,176 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.RedisCache +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +####################################################################################################################### +## +## TODO: This test is redundant, as the append policies for this resource fire before the deny logic resulting in a conflicting action. +## +####################################################################################################################### + +Describe "Testing policy 'Deny-Redis-http'" -Tag "deny-redis-http" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Redis-http' } + New-AzPolicyAssignment -Name "TDeny-Redis-http" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test secure connections enabled on Azure Cache for Redis when created" -Tag "deny-redis-http" { + + # It "Should deny non-compliant Azure Cache for Redis - EnableNonSslPort" -Tag "deny-noncompliant-redis" { + # AzTest -ResourceGroup { + # param($ResourceGroup) + + # $random = GenerateRandomString -Length 5 + # $name = "alztest$Random" + + # { + # New-AzRedisCache ` + # -ResourceGroupName $ResourceGroup.ResourceGroupName ` + # -Name $name ` + # -Location "uksouth" ` + # -EnableNonSslPort $true ` + # -MinimumTlsVersion "TLS1_2" + + # } | Should -Throw "*disallowed by policy*" + # } + # } + + # PowerShell 10.1 does not support disabling publicAccess so have to use REST API + It "Should deny non-compliant Azure Cache for Redis - EnableNonSslPort" -Tag "deny-noncompliant-redis" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + $sku = @{ + name = "C" + family = "Basic" + capacity = 0 + } + + $object = @{ + properties = @{ + sku = $sku + publicNetworkAccess = "Disabled" + EnableNonSslPort = $true + minimumTlsVersion = "TLS1_2" + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Cache" ` + -ResourceType "redis" ` + -Name $name ` + -ApiVersion "2023-04-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200 -or $httpResponse.StatusCode -eq 201) { + # Storage Account created + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + + # It "Should deny non-compliant Azure Cache for Redis - TLS version" -Tag "deny-noncompliant-redis" { + # AzTest -ResourceGroup { + # param($ResourceGroup) + + # $random = GenerateRandomString -Length 5 + # $name = "alztest$Random" + + # { + # New-AzRedisCache ` + # -ResourceGroupName $ResourceGroup.ResourceGroupName ` + # -Name $name ` + # -Location "uksouth" ` + # -EnableNonSslPort $false ` + # -MinimumTlsVersion "TLS1_0" + + # } | Should -Throw "*disallowed by policy*" + # } + # } + + # It "Should allow compliant Azure Cache for Redis" -Tag "allow-compliant-redis" { + # AzTest -ResourceGroup { + # param($ResourceGroup) + + # $random = GenerateRandomString -Length 5 + # $name = "alztest$Random" + + # { + # New-AzRedisCache ` + # -ResourceGroupName $ResourceGroup.ResourceGroupName ` + # -Name $name ` + # -Location "uksouth" ` + # -EnableNonSslPort $false ` + # -MinimumTlsVersion "TLS1_2" + + # } | Should -Not -Throw + # } + # } + } + + # Context "Test secure connections enabled on Azure Cache for Redis when updated" -Tag "deny-redis-http" { + + # It "Should deny non-compliant Azure Cache for Redis" -Tag "deny-noncompliant-redis" { + # AzTest -ResourceGroup { + # param($ResourceGroup) + + # $random = GenerateRandomString -Length 5 + # $name = "alztest$Random" + + # # Should be disallowed by policy, so exception should be thrown. + # { + # New-AzRedisCache ` + # -ResourceGroupName $ResourceGroup.ResourceGroupName ` + # -Name $name ` + # -Location "uksouth" ` + # -EnableNonSslPort $false ` + # -MinimumTlsVersion "TLS1_2" + + # Set-AzRedisCache ` + # -Name $name ` + # -EnableNonSslPort $true ` + # -MinimumTlsVersion "TLS1_1.1" + + # } | Should -Throw "*disallowed by policy*" + # } + # } + # } +} \ No newline at end of file diff --git a/tests/policy/Deny-Storage-SFTP.Tests.ps1 b/tests/policy/Deny-Storage-SFTP.Tests.ps1 new file mode 100644 index 0000000000..a9b8420732 --- /dev/null +++ b/tests/policy/Deny-Storage-SFTP.Tests.ps1 @@ -0,0 +1,124 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-Storage-SFTP'" -Tag "deny-storage-sftp" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Storage-SFTP' } + New-AzPolicyAssignment -Name "TDeny-STA-sftp" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test SFTP enabled on Storage Account when created" -Tag "deny-storage-sftp" { + + It "Should deny non-compliant Storage Account - SFTP" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" ` + -EnableSftp $true + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - SFTP" -Tag "allow-compliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + } | Should -Not -Throw + } + } + } + + Context "Test SFTP on Storage Account when updated" -Tag "deny-storage-SFTP" { + + It "Should deny non-compliant Storage Account - SFTP" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + Set-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" ` + -EnableSftp $true + + } | Should -Throw "*disallowed by policy*" + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-STA-sftp" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-Storage-minTLS.Tests.ps1 b/tests/policy/Deny-Storage-minTLS.Tests.ps1 new file mode 100644 index 0000000000..3359adf20c --- /dev/null +++ b/tests/policy/Deny-Storage-minTLS.Tests.ps1 @@ -0,0 +1,200 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-Storage-minTLS'" -Tag "deny-storage-mintls" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Storage-minTLS' } + New-AzPolicyAssignment -Name "TDeny-STA-minTLS" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test minimum TLS version enabled on Storage Account when created" -Tag "deny-storage-mintls" { + + It "Should deny non-compliant Storage Account - Minimum TLS version - via API" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + $sku = @{ + name = "Standard_LRS" + tier = "Standard" + } + + $object = @{ + kind = "StorageV2" + sku = $sku + properties = @{ + minimumTlsVersion = "TLS1_0" + allowBlobPublicAccess = $false + publicNetworkAccess = "Disabled" + } + location = "uksouth" + } + + $payload = ConvertTo-Json -InputObject $object -Depth 100 + + # Should be disallowed by policy, so exception should be thrown. + { + $httpResponse = Invoke-AzRestMethod ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -ResourceProviderName "Microsoft.Storage" ` + -ResourceType "storageAccounts" ` + -Name $name ` + -ApiVersion "2022-09-01" ` + -Method "PUT" ` + -Payload $payload + + if ($httpResponse.StatusCode -eq 200) { + # Storage Account created + } + elseif ($httpResponse.StatusCode -eq 202) { + # Storage Account provisioning is asynchronous, so wait for it to complete. + $asyncOperation = $httpResponse | Wait-AsyncOperation + if ($asyncOperation.Status -ne "Succeeded") { + throw "Asynchronous operation failed with message: '$($asyncOperation)'" + } + } + # Error response describing why the operation failed. + else { + throw "Operation failed with message: '$($httpResponse.Content)'" + } + } | Should -Throw "*disallowed by policy*" + } + } + + # Secure transfer should be enabled by default as part of this policy check even though there is a dedicated policy for this. Should throw an exception if the other policy is not assigned. + It "Should deny non-compliant Storage Account - HTTPS Traffic only" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $false ` + -PublicNetworkAccess "Disabled" + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Storage Account - TLS version" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_1" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - Minimum TLS version" -Tag "allow-compliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + } | Should -Not -Throw + } + } + } + + Context "Test minimum TLS version enabled on Storage Account when updated" -Tag "deny-storage-mintls" { + + It "Should deny non-compliant Storage Account - Minimum TLS version" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + Set-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -MinimumTlsVersion "TLS1_0" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + } | Should -Throw "*disallowed by policy*" + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-STA-minTLS" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-StorageAccount-CustomDomain.Tests.ps1 b/tests/policy/Deny-StorageAccount-CustomDomain.Tests.ps1 new file mode 100644 index 0000000000..5ff652de1e --- /dev/null +++ b/tests/policy/Deny-StorageAccount-CustomDomain.Tests.ps1 @@ -0,0 +1,152 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Storage +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-StorageAccount-CustomDomain'" -Tag "deny-storage-custdom" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-StorageAccount-CustomDomain' } + New-AzPolicyAssignment -Name "TDeny-STA-custdom" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test custom domain enabled on Storage Account when created" -Tag "deny-storage-custdom" { + + It "Should deny non-compliant Storage Account - Custom Domain - both properties set" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" ` + -CustomDomainName "$name.blob.core.windows.net" ` + -UseSubDomain $true + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Storage Account - Custom Domain - domain name set" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" ` + -CustomDomainName "$name.blob.core.windows.net" ` + -UseSubDomain $false + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Storage Account - Custom Domain" -Tag "allow-compliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + } | Should -Not -Throw + } + } + } + + Context "Test custom domain enabled on Storage Account when updated" -Tag "deny-storage-custdom" { + + It "Should deny non-compliant Storage Account - Custom Domain - both properties set" -Tag "deny-noncompliant-storage" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "alztest$Random" + + # Should be disallowed by policy, so exception should be thrown. + { + New-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -Location "uksouth" ` + -SkuName "Standard_LRS" ` + -Kind "StorageV2" ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" + + Set-AzStorageAccount ` + -ResourceGroupName $ResourceGroup.ResourceGroupName ` + -Name $name ` + -MinimumTlsVersion "TLS1_2" ` + -AllowBlobPublicAccess $false ` + -EnableHttpsTrafficOnly $true ` + -PublicNetworkAccess "Disabled" ` + -CustomDomainName "$name.blob.core.windows.net" ` + -UseSubDomain $true + + } | Should -Throw "*disallowed by policy*" + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-STA-custdom" -Scope $mangementGroupScope -Confirm:$false + } +} \ No newline at end of file diff --git a/tests/policy/Deny-Subnet-Without-Nsg.Tests.ps1 b/tests/policy/Deny-Subnet-Without-Nsg.Tests.ps1 new file mode 100644 index 0000000000..4209d0834c --- /dev/null +++ b/tests/policy/Deny-Subnet-Without-Nsg.Tests.ps1 @@ -0,0 +1,96 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-Subnet-Without-Nsg'" -Tag "deny-subnet-nsg" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Subnet-Without-Nsg' } + New-AzPolicyAssignment -Name "TDeny-Subnet-NSG" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test NSG on Virtual Network when created or updated" -Tag "deny-subnet-nsg" { + + It "Should deny non-compliant Virtual Network without NSG" -Tag "deny-subnet-nsg" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for a Virtual Network with no NSG enabled + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 + + # Deploying the compliant Virtual Network with NSG enabled + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Virtual Network without NSG but excluded subnet" -Tag "allow-subnet-nsg" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for an Virtual Network with NSG enabled + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "AzureFirewallSubnet" -AddressPrefix 10.0.1.0/24 + + # Deploying the compliant a Virtual Network with no NSG enabled + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Not -Throw + } + } + + It "Should allow compliant Virtual Network with NSG" -Tag "allow-subnet-nsg" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for an Virtual Network with NSG enabled + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG + + # Deploying the compliant Virtual Network with NSG enabled + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Subnet-NSG" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-Subnet-Without-Penp.Tests.ps1 b/tests/policy/Deny-Subnet-Without-Penp.Tests.ps1 new file mode 100644 index 0000000000..0fc6de167f --- /dev/null +++ b/tests/policy/Deny-Subnet-Without-Penp.Tests.ps1 @@ -0,0 +1,79 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-Subnet-Without-Penp'" -Tag "deny-subnet-penp" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Subnet-Without-Penp' } + New-AzPolicyAssignment -Name "TDeny-Subnet-PENP" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test Private Endpoint Network Policies on Virtual Network when created or updated" -Tag "deny-subnet-penp" { + + It "Should deny non-compliant Virtual Network without Privatee Endpoint Network Policies" -Tag "deny-subnet-penp" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for a Virtual Network without Privatee Endpoint Network Policies + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG + + # Deploying the compliant Virtual Network without Privatee Endpoint Network Policies + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Virtual Network with Private Endpoint Network Policies" -Tag "allow-subnet-penp" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for an Virtual Network with Private Endpoint Network Policies + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG -PrivateEndpointNetworkPoliciesFlag "Enabled" + + # Deploying the compliant Virtual Network without Privatee Endpoint Network Policies + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Subnet-PENP" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-Subnet-Without-Udr.Tests.ps1 b/tests/policy/Deny-Subnet-Without-Udr.Tests.ps1 new file mode 100644 index 0000000000..0cd3ab27b6 --- /dev/null +++ b/tests/policy/Deny-Subnet-Without-Udr.Tests.ps1 @@ -0,0 +1,107 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-Subnet-Without-Udr'" -Tag "deny-subnet-udr" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-Subnet-Without-Udr' } + New-AzPolicyAssignment -Name "TDeny-Subnet-UDR" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test UDR on Virtual Network when created or updated" -Tag "deny-subnet-udr" { + + It "Should deny non-compliant Virtual Network without UDR" -Tag "deny-subnet-udr" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for an Virtual Network without UDR + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG + + # Deploying the compliant Virtual Network without UDR + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Virtual Network without UDR but excluded subnet" -Tag "allow-subnet-udr" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for an Virtual Network without UDR + $rule1 = New-AzNetworkSecurityRuleConfig -Name allowhttpsinbound-rule -Description "Allow HTTPS Inbound" -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443 + $rule2 = New-AzNetworkSecurityRuleConfig -Name allowGWinbound-rule -Description "Allow Gateway Manager Inbound" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix GatewayManager -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443 + $rule3 = New-AzNetworkSecurityRuleConfig -Name allowLBinbound-rule -Description "Allow Load Balancer Inbound" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix AzureLoadBalancer -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 443 + $rule4 = New-AzNetworkSecurityRuleConfig -Name allowBH1inbound-rule -Description "Allow Bastion Host Inbound" -Access Allow -Protocol * -Direction Inbound -Priority 104 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 8080 + $rule5 = New-AzNetworkSecurityRuleConfig -Name allowBH2inbound-rule -Description "Allow Bastion Host Inbound" -Access Allow -Protocol * -Direction Inbound -Priority 105 -SourceAddressPrefix VirtualNetwork -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 5701 + $rule6 = New-AzNetworkSecurityRuleConfig -Name allowOutbound-rule -Description "Allow Outbound" -Access Allow -Protocol * -Direction Outbound -Priority 101 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * + + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -SecurityRules $rule1,$rule2,$rule3,$rule4,$rule5,$rule6 + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "AzureBastionSubnet" -AddressPrefix 10.0.1.0/24 -NetworkSecurityGroup $NSG + + # Deploying the compliant Virtual Network without UDR + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Not -Throw + } + } + + It "Should allow compliant Virtual Network with UDR" -Tag "allow-subnet-udr" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Setting up all the requirements for an Virtual Network with UDR + $Route = New-AzRouteConfig -Name "Route01" -AddressPrefix 10.0.0.0/16 -NextHopType "VnetLocal" + $RouteTable = New-AzRouteTable -Name "RouteTable01" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -Route $Route + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG -RouteTable $RouteTable + + # Deploying the compliant Virtual Network with UDR + { + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Subnet-UDR" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-UDR-With-Specific-NextHop.Tests.ps1 b/tests/policy/Deny-UDR-With-Specific-NextHop.Tests.ps1 new file mode 100644 index 0000000000..aae7b29359 --- /dev/null +++ b/tests/policy/Deny-UDR-With-Specific-NextHop.Tests.ps1 @@ -0,0 +1,88 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-UDR-With-Specific-NextHop'" -Tag "deny-subnet-udr" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-UDR-With-Specific-NextHop' } + New-AzPolicyAssignment -Name "TDeny-Subnet-UDRHop" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test specific next hop UDR on Virtual Network when created or updated" -Tag "deny-subnet-udr" { + + It "Should deny non-compliant Virtual Network with specific next hop - Internet" -Tag "deny-subnet-udr" { + AzTest -ResourceGroup { + param($ResourceGroup) + + # Deploying the compliant Virtual Network without UDR + { + $Route = New-AzRouteConfig -Name "Route01" -NextHopType "Internet" -AddressPrefix 0.0.0.0/0 + New-AzRouteTable -Name "RouteTable01" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -Route $Route + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should deny non-compliant Virtual Network with specific next hop - VirtualNetworkGateway" -Tag "deny-subnet-udr" { + AzTest -ResourceGroup { + param($ResourceGroup) + + # Deploying the compliant Virtual Network without UDR + { + $Route = New-AzRouteConfig -Name "Route02" -NextHopType "VirtualNetworkGateway" -AddressPrefix 10.1.0.0/24 + New-AzRouteTable -Name "RouteTable01" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -Route $Route + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Virtual Network with UDR to allowed next hop - Vnetlocal" -Tag "allow-subnet-udr" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $random = GenerateRandomString -Length 13 + $name = "vnet-$Random" + + # Deploying the compliant Virtual Network with UDR + { + # Setting up all the requirements for an Virtual Network with UDR + $Route = New-AzRouteConfig -Name "Route03" -AddressPrefix 10.0.0.0/16 -NextHopType "VnetLocal" + $RouteTable = New-AzRouteTable -Name "RouteTable01" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -Route $Route + $NSG = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet = New-AzVirtualNetworkSubnetConfig -Name "Subnet01" -AddressPrefix 10.0.0.0/24 -NetworkSecurityGroup $NSG -RouteTable $RouteTable + + New-AzVirtualNetwork -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.0.0.0/16 -Subnet $Subnet + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Subnet-UDRHop" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-VNET-Peer-Cross-Sub.Tests.ps1 b/tests/policy/Deny-VNET-Peer-Cross-Sub.Tests.ps1 new file mode 100644 index 0000000000..2b44627018 --- /dev/null +++ b/tests/policy/Deny-VNET-Peer-Cross-Sub.Tests.ps1 @@ -0,0 +1,79 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +$global:rgSubscription2 + +Describe "Testing policy 'Deny-VNET-Peer-Cross-Sub'" -Tag "deny-vnet-peering" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-VNET-Peer-Cross-Sub' } + New-AzPolicyAssignment -Name "TDeny-Vnet-XPeering" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test cross subscription peering on Virtual Network when created or updated" -Tag "deny-vnet-peering" { + + It "Should deny non-compliant Virtual Network with cross subscription peering" -Tag "deny-vnet-peering" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $global:rgSubscription2 = $ResourceGroup.ResourceGroupName + + $NSG1 = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet1 = New-AzVirtualNetworkSubnetConfig -Name "subnet01" -AddressPrefix 10.1.0.0/24 -NetworkSecurityGroup $NSG1 + $vnet1 = New-AzVirtualNetwork -Name 'myVnet1' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.1.0.0/16 -Subnet $Subnet1 + + Set-AzContext -SubscriptionId $env:SUBSCRIPTION2_ID -TenantId $env:TENANT_ID -Force + New-AzResourceGroup -Name $ResourceGroup.ResourceGroupName -Location "uksouth" + + $NSG2 = New-AzNetworkSecurityGroup -Name "nsg2" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet2 = New-AzVirtualNetworkSubnetConfig -Name "subnet02" -AddressPrefix 10.2.0.0/24 -NetworkSecurityGroup $NSG2 + $vnet2 = New-AzVirtualNetwork -Name 'myVnet2' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.2.0.0/16 -Subnet $Subnet2 + + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + { + + # Peer VNet1 to VNet2. + Add-AzVirtualNetworkPeering -Name 'myVnet1ToMyVnet2' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id + + # Peer VNet2 to VNet1. + Add-AzVirtualNetworkPeering -Name 'myVnet2ToMyVnet1' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id + + } | Should -Throw "*disallowed by policy*" + } + } + + } + + AfterAll { + Set-AzContext -SubscriptionId $env:SUBSCRIPTION2_ID -TenantId $env:TENANT_ID -Force + Get-AzResourceGroup -Name $global:rgSubscription2 | Remove-AzResourceGroup -Force + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + Remove-AzPolicyAssignment -Name "TDeny-Vnet-XPeering" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-VNET-Peering-To-Non-Approved-VNETs.Tests.ps1 b/tests/policy/Deny-VNET-Peering-To-Non-Approved-VNETs.Tests.ps1 new file mode 100644 index 0000000000..d856743a4d --- /dev/null +++ b/tests/policy/Deny-VNET-Peering-To-Non-Approved-VNETs.Tests.ps1 @@ -0,0 +1,107 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-VNET-Peering-To-Non-Approved-VNETs'" -Tag "deny-vnet-peering" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + + } + + ### Had to move the assignment into the test, as we need to dynamically generate the allowedVnets parameter - this code remains for the valid criteria + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-VNET-Peering-To-Non-Approved-VNETs' } + $allowedVnets = @("ApprovedVnet01", "ApprovedVnet02") + $parameters = @{'allowedVnets'=($allowedVnets)} + New-AzPolicyAssignment -Name "TDeny-Vnet-BadPeering" -Scope $mangementGroupScope -PolicyDefinition $definition -PolicyParameterObject $parameters + + } + + Context "Test same subscription peering on Virtual Network when created or updated" -Tag "deny-vnet-peering" { + + It "Should deny non-compliant Virtual Network with peering in same subscription" -Tag "deny-vnet-peering" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $NSG1 = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet1 = New-AzVirtualNetworkSubnetConfig -Name "subnet01" -AddressPrefix 10.1.0.0/24 -NetworkSecurityGroup $NSG1 + $vnet1 = New-AzVirtualNetwork -Name 'myVnet1' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.1.0.0/16 -Subnet $Subnet1 + + $NSG2 = New-AzNetworkSecurityGroup -Name "nsg2" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet2 = New-AzVirtualNetworkSubnetConfig -Name "subnet02" -AddressPrefix 10.2.0.0/24 -NetworkSecurityGroup $NSG2 + $vnet2 = New-AzVirtualNetwork -Name 'myVnet2' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.2.0.0/16 -Subnet $Subnet2 + + { + + # Peer VNet1 to VNet2. + Add-AzVirtualNetworkPeering -Name 'myVnet1ToMyVnet2' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id + + # Peer VNet2 to VNet1. + Add-AzVirtualNetworkPeering -Name 'myVnet2ToMyVnet1' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id + + } | Should -Throw "*disallowed by policy*" + } + } + + It "Should allow compliant Virtual Network with peering in same subscription" -Tag "allow-vnet-peering" { + AzTest -ResourceGroup { + param($ResourceGroup) + + # Moved the assignment into the test, as we need to dynamically generate the allowedVnets parameter - need the resource group name to do this + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-VNET-Peering-To-Non-Approved-VNETs' } + $subscriptionID = $env:SUBSCRIPTION_ID + $rgName = $ResourceGroup.ResourceGroupName + $allowedVnets = @( + "/subscriptions/$subscriptionID/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/ApprovedVnet01", + "/subscriptions/$subscriptionID/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/ApprovedVnet02" + ) + $parameters = @{'allowedVnets'=($allowedVnets)} + #Set-AzPolicyAssignment -Name "TDeny-Vnet-BadPeering" -PolicyParameterObject $parameters + New-AzPolicyAssignment -Name "TDeny-Vnet-BadPeering" -Scope $mangementGroupScope -PolicyDefinition $definition -PolicyParameterObject $parameters + + $NSG1 = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet1 = New-AzVirtualNetworkSubnetConfig -Name "subnet01" -AddressPrefix 10.1.0.0/24 -NetworkSecurityGroup $NSG1 + $vnet1 = New-AzVirtualNetwork -Name 'ApprovedVnet01' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.1.0.0/16 -Subnet $Subnet1 + + $NSG2 = New-AzNetworkSecurityGroup -Name "nsg2" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet2 = New-AzVirtualNetworkSubnetConfig -Name "subnet02" -AddressPrefix 10.2.0.0/24 -NetworkSecurityGroup $NSG2 + $vnet2 = New-AzVirtualNetwork -Name 'ApprovedVnet02' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.2.0.0/16 -Subnet $Subnet2 + + { + + # Peer VNet1 to VNet2. + Add-AzVirtualNetworkPeering -Name 'myVnet1ToMyVnet2' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id + + # Peer VNet2 to VNet1. + Add-AzVirtualNetworkPeering -Name 'myVnet2ToMyVnet1' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id + + } | Should -Not -Throw + } + } + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Vnet-BadPeering" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/policy/Deny-VNet-Peering.Tests.ps1 b/tests/policy/Deny-VNet-Peering.Tests.ps1 new file mode 100644 index 0000000000..59087b9e71 --- /dev/null +++ b/tests/policy/Deny-VNet-Peering.Tests.ps1 @@ -0,0 +1,66 @@ +[CmdletBinding()] +param ( + [Parameter()][String]$DeploymentConfigPath = "./src/data/eslzArm.test.deployment.json", + [Parameter()][String]$esCompanyPrefix +) + +Import-Module -Name Az.Network +Import-Module -Name Az.Resources +Import-Module "$($PSScriptRoot)/../../tests/utils/Policy.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force +Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force + +Describe "Testing policy 'Deny-VNet-Peering'" -Tag "deny-vnet-peering" { + + BeforeAll { + + # Set the default context for Az commands. + Set-AzContext -SubscriptionId $env:SUBSCRIPTION_ID -TenantId $env:TENANT_ID -Force + + if (-not [String]::IsNullOrEmpty($DeploymentConfigPath)) { + Write-Information "==> Loading deployment configuration from : $DeploymentConfigPath" + $deploymentObject = Get-Content -Path $DeploymentConfigPath | ConvertFrom-Json -AsHashTable + + # Set the esCompanyPrefix from the deployment configuration if not specified + $esCompanyPrefix = $deploymentObject.TemplateParameterObject.enterpriseScaleCompanyPrefix + $mangementGroupScope = "/providers/Microsoft.Management/managementGroups/$esCompanyPrefix-corp" + } + + $definition = Get-AzPolicyDefinition | Where-Object { $_.Name -eq 'Deny-VNet-Peering' } + New-AzPolicyAssignment -Name "TDeny-Vnet-Peering" -Scope $mangementGroupScope -PolicyDefinition $definition + + } + + Context "Test same subscription peering on Virtual Network when created or updated" -Tag "deny-vnet-peering" { + + It "Should deny non-compliant Virtual Network with peering in same subscription" -Tag "deny-vnet-peering" { + AzTest -ResourceGroup { + param($ResourceGroup) + + $NSG1 = New-AzNetworkSecurityGroup -Name "nsg1" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet1 = New-AzVirtualNetworkSubnetConfig -Name "subnet01" -AddressPrefix 10.1.0.0/24 -NetworkSecurityGroup $NSG1 + $vnet1 = New-AzVirtualNetwork -Name 'myVnet1' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.1.0.0/16 -Subnet $Subnet1 + + $NSG2 = New-AzNetworkSecurityGroup -Name "nsg2" -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" + $Subnet2 = New-AzVirtualNetworkSubnetConfig -Name "subnet02" -AddressPrefix 10.2.0.0/24 -NetworkSecurityGroup $NSG2 + $vnet2 = New-AzVirtualNetwork -Name 'myVnet2' -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AddressPrefix 10.2.0.0/16 -Subnet $Subnet2 + + { + + # Peer VNet1 to VNet2. + Add-AzVirtualNetworkPeering -Name 'myVnet1ToMyVnet2' -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id + + # Peer VNet2 to VNet1. + Add-AzVirtualNetworkPeering -Name 'myVnet2ToMyVnet1' -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id + + } | Should -Throw "*disallowed by policy*" + } + } + + } + + AfterAll { + Remove-AzPolicyAssignment -Name "TDeny-Vnet-Peering" -Scope $mangementGroupScope -Confirm:$false + } +} diff --git a/tests/utils/Generic.Utils.psm1 b/tests/utils/Generic.Utils.psm1 new file mode 100644 index 0000000000..7245bfed8b --- /dev/null +++ b/tests/utils/Generic.Utils.psm1 @@ -0,0 +1,53 @@ +<# +.SYNOPSIS + Generates a random string of a given length. +.DESCRIPTION + Generates a random string of a given length. +.PARAMETER Length + The length of the random string to generate. +.EXAMPLE + $randomString = GenerateRandomString +#> +function GenerateRandomString { + param ( + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$Length = 15 + ) + + $TokenSet = @{ + L = [Char[]]'abcdefghijklmnopqrstuvwxyz' + N = [Char[]]'0123456789' + } + $Lower = Get-Random -Count 15 -InputObject $TokenSet.L + $Number = Get-Random -Count 10 -InputObject $TokenSet.N + $StringSet = $Lower + $Number + $RandomString = (Get-Random -Count $Length -InputObject $StringSet) -join '' + + return $RandomString +} + +function GeneratePasswordString { + param ( + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$Length = 15 + ) + + $TokenSet = @{ + U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ' + L = [Char[]]'abcdefghijklmnopqrstuvwxyz' + N = [Char[]]'0123456789' + S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~' + } + + $Upper = Get-Random -Count 5 -InputObject $TokenSet.U + $Lower = Get-Random -Count 5 -InputObject $TokenSet.L + $Number = Get-Random -Count 5 -InputObject $TokenSet.N + $Special = Get-Random -Count 5 -InputObject $TokenSet.S + + $StringSet = $Upper + $Lower + $Number + $Special + $RandomString = (Get-Random -Count $Length -InputObject $StringSet) -join '' + + return $RandomString +} \ No newline at end of file diff --git a/tests/utils/Policy.Utils.psm1 b/tests/utils/Policy.Utils.psm1 new file mode 100644 index 0000000000..46fb99646e --- /dev/null +++ b/tests/utils/Policy.Utils.psm1 @@ -0,0 +1,218 @@ +Import-Module -Name Az.Resources + +<# +.SYNOPSIS +Completes a policy compliance scan. + +.DESCRIPTION +Starts a policy compliance scan and awaits it's completion. In case of a failure, the policy compliance scan is retried (Default: 3 times). Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER ResourceGroup +The resource group to be scanned for policy compliance. + +.PARAMETER MaxRetries +The maximum amount of retries in case of failures (Default: 3 times). + +.EXAMPLE +$ResourceGroup | Complete-PolicyComplianceScan +#> +function Complete-PolicyComplianceScan { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [Microsoft.Azure.Commands.ResourceManager.Cmdlets.SdkModels.PSResourceGroup]$ResourceGroup, + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$MaxRetries = 3 + ) + + # Policy compliance scan might fail, hence retrying to avoid flaky tests. + $retries = 0 + do { + $job = Start-AzPolicyComplianceScan -ResourceGroupName $ResourceGroup.ResourceGroupName -PassThru -AsJob + $succeeded = $job | Wait-Job | Receive-Job + + if ($succeeded) { + break + } + # Failure: Retry policy compliance scan when still below maximum retries. + elseif ($retries -le $MaxRetries) { + Write-Host "Policy compliance scan for resource group '$($ResourceGroup.ResourceId)' failed. Retrying..." + $retries++ + continue # Not required, just defensive programming. + } + # Failure: Policy compliance scan is still failing after maximum retries. + else { + throw "Policy compliance scan for resource group '$($ResourceGroup.ResourceId)' failed even after $($MaxRetries) retries." + } + } while ($retries -le $MaxRetries) # Prevent endless loop, just defensive programming. +} + +<# +.SYNOPSIS +Completes a policy remediation. + +.DESCRIPTION +Starts a remediation for a policy and awaits it's completion. In case of a failure, the policy remediation is retried (Default: 3 times). Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER Resource +The resource to be remediated. + +.PARAMETER PolicyDefinitionName +The name of the policy definition. + +.PARAMETER CheckDeployment +The switch to determine if a deployment is expected. If a deployment is expected but did not happen during policy remediation, the policy remediation is retried. + +.PARAMETER MaxRetries +The maximum amount of retries in case of failures (Default: 3 times). + +.EXAMPLE +$routeTable | Complete-PolicyRemediation -PolicyDefinition "Modify-RouteTable-NextHopVirtualAppliance" -CheckDeployment +#> +function Complete-PolicyRemediation { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [Microsoft.Azure.Commands.Network.Models.PSChildResource]$Resource, + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string]$PolicyDefinitionName, + [Parameter()] + [switch]$CheckDeployment, + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$MaxRetries = 3 + ) + + # Determine policy assignment id- + $scope = "/subscriptions/$((Get-AzContext).Subscription.Id)" + $policyAssignmentId = (Get-AzPolicyAssignment -Scope $scope + | Select-Object -Property PolicyAssignmentId -ExpandProperty Properties + | Where-Object { $_.PolicyDefinitionId.EndsWith($PolicyDefinitionName) } + | Select-Object -Property PolicyAssignmentId -First 1 + ).PolicyAssignmentId + + if ($null -eq $policyAssignmentId) { + throw "Policy '$($PolicyDefinitionName)' is not assigned to scope '$($scope)'." + } + + # Remediation might be started before all previous changes on the resource in scope are completed. + # This race condition could lead to a successful remediation without any deployment being triggered. + # When a deployment is expected, it might be required to retry remediation to avoid flaky tests. + $retries = 0 + do { + # Trigger and wait for remediation. + $job = Start-AzPolicyRemediation ` + -Name "$($Resource.Name)-$([DateTimeOffset]::Now.ToUnixTimeSeconds())" ` + -Scope $Resource.Id ` + -PolicyAssignmentId $policyAssignmentId ` + -ResourceDiscoveryMode ReEvaluateCompliance ` + -AsJob + $remediation = $job | Wait-Job | Receive-Job + + # Check remediation provisioning state and deployment when required . + $succeeded = $remediation.ProvisioningState -eq "Succeeded" + if ($succeeded) { + if ($CheckDeployment) { + $deployed = $remediation.DeploymentSummary.TotalDeployments -gt 0 + + # Success: Deployment was triggered. + if ($deployed) { + break + } + # Failure: No deployment was triggered, so retry when still below maximum retries. + elseif ($retries -le $MaxRetries) { + Write-Host "Policy '$($PolicyDefinitionName)' succeeded to remediated resource '$($Resource.Id)', but no deployment was triggered. Retrying..." + $retries++ + continue # Not required, just defensive programming. + } + # Failure: No deployment was triggered even after maximum retries. + else { + throw "Policy '$($PolicyDefinitionName)' succeeded to remediated resource '$($Resource.Id)', but no deployment was triggered even after $($MaxRetries) retries." + } + } + # Success: No deployment need to checked, hence no retry required. + else { + break + } + } + # Failure: Remediation failed, so retry when still below maximum retries. + elseif ($retries -le $MaxRetries) { + Write-Host "Policy '$($PolicyDefinitionName)' failed to remediate resource '$($Resource.Id)'. Retrying..." + $retries++ + continue # Not required, just defensive programming. + } + # Failure: Remediation failed even after maximum retries. + else { + throw "Policy '$($PolicyDefinitionName)' failed to remediate resource '$($Resource.Id)' even after $($MaxRetries) retries." + } + } while ($retries -le $MaxRetries) # Prevent endless loop, just defensive programming. +} + +<# +.SYNOPSIS +Gets the policy compliance state of a resource. + +.DESCRIPTION +Gets the policy compliance state of a resource. In case of a failure, getting the policy compliance state is retried (Default: 30 times) after a few seconds of waiting (Default: 60s). Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER Resource +The resource to get the policy compliance state for. + +.PARAMETER PolicyDefinitionName +The name of the policy definition. + +.PARAMETER WaitSeconds +The duration in seconds to wait between retries in case of failures (Default: 60s). + +.PARAMETER MaxRetries +The maximum amount of retries in case of failures (Default: 3 times). + +.EXAMPLE +$networkSecurityGroup | Get-PolicyComplianceState -PolicyDefinition "OP-Audit-NSGAny" | Should -BeFalse +#> +function Get-PolicyComplianceState { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [Microsoft.Azure.Commands.Network.Models.PSChildResource]$Resource, + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string]$PolicyDefinitionName, + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$WaitSeconds = 60, + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$MaxRetries = 30 + ) + + # Policy compliance scan might be completed, but policy compliance state might still be null due to race conditions. + # Hence waiting a few seconds and retrying to get the policy compliance state to avoid flaky tests. + $retries = 0 + do { + $isCompliant = (Get-AzPolicyState ` + -PolicyDefinitionName $PolicyDefinitionName ` + -Filter "ResourceId eq '$($Resource.Id)'" ` + ).IsCompliant + + # Success: Policy compliance state is not null. + if ($null -ne $isCompliant) { + break + } + # Failure: Policy compliance state is null, so wait a few seconds and retry when still below maximum retries. + elseif ($retries -le $MaxRetries) { + Write-Host "Policy '$($PolicyDefinitionName)' completed compliance scan for resource '$($Resource.Id)', but policy compliance state is null. Retrying..." + Start-Sleep -Seconds $WaitSeconds + $retries++ + continue # Not required, just defensive programming. + } + # Failure: Policy compliance state still null after maximum retries. + else { + throw "Policy '$($PolicyDefinitionName)' completed compliance scan for resource '$($Resource.Id)', but policy compliance state is null even after $($MaxRetries) retries." + } + } while ($retries -le $MaxRetries) # Prevent endless loop, just defensive programming. + + return $isCompliant +} \ No newline at end of file diff --git a/tests/utils/Rest.Utils.psm1 b/tests/utils/Rest.Utils.psm1 new file mode 100644 index 0000000000..5397efd512 --- /dev/null +++ b/tests/utils/Rest.Utils.psm1 @@ -0,0 +1,126 @@ +Import-Module -Name Az.Resources + +<# +.SYNOPSIS +Await an asynchronous operation against the Azure REST API. + +.DESCRIPTION +Helper method to await an asynchronous operation against the Azure REST API. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER HttpResponse +The HTTP response returned from the asynchronous operation. + +.PARAMETER MaxRetries +The maximum retries to monitor the status of the asynchronous operation (Default: 100 times). + +.EXAMPLE +if ($httpResponse.StatusCode -eq 202) { + $asyncOperation = $httpResponse | Wait-AsyncOperation + if ($asyncOperation.Status -ne "Succeeded") { + throw "Asynchronous operation failed with message: '$($asyncOperation)'" + } +} + +.LINK +https://github.com/Azure/azure-powershell/issues/13293 + +.LINK +https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/async-operations#status-codes-for-asynchronous-operations + +.LINK +https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/async-operations#url-to-monitor-status +#> +function Wait-AsyncOperation { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [Microsoft.Azure.Commands.Profile.Models.PSHttpResponse]$HttpResponse, + [Parameter()] + [ValidateRange(1, [uint32]::MaxValue)] + [uint32]$MaxRetries = 100 + ) + + # Asynchronous operations either return HTTP status code 201 (Created) or 202 (Accepted). + # See also: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/async-operations#status-codes-for-asynchronous-operations + if ($HttpResponse.StatusCode -notin @(201, 202)) { + throw "HTTP response status code must be either '201' or '202' to indicate an asynchronous operation." + } + + # Extracting retry after from HTTP Response Headers. + # See also: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/async-operations#url-to-monitor-status + $retryAfter = $HttpResponse + | Get-HttpResponseHeaderValues -HeaderName "Retry-After" + | Select-Object -First 1 + + # Extracting status URL from HTTP Response Headers. + $statusUrl = $HttpResponse + | Get-HttpResponseHeaderValues -HeaderName "Azure-AsyncOperation" + | Select-Object -First 1 + + if ($null -eq $statusUrl) { + $statusUrl = $HttpResponse + | Get-HttpResponseHeaderValues -HeaderName "Location" + | Select-Object -First 1 + } + + if ($null -eq $statusUrl) { + throw "HTTP response does not contain any header 'Azure-AsyncOperation' or 'Location' containing the URL to monitor the status of the asynchronous operation." + } + + # Convert status URL to path. + $statusPath = $statusUrl.Replace("https://management.azure.com", "") + + # Monitor status of asynchronous operation. + $httpResponse = $null + $retries = 0 + do { + $asyncOperation = Invoke-AzRestMethod -Path $statusPath -Method "GET" + | Select-Object -ExpandProperty Content + | ConvertFrom-Json + + if ($asyncOperation.Status -in @("Succeeded", "Failed", "Canceled")) { + break + } + else { + Start-Sleep -Second $retryAfter + $retries++ + } + } until ($retries -gt $MaxRetries) # Prevent endless loop, just defensive programming. + + if ($retries -gt $MaxRetries) { + throw "Status of asynchronous operation '$($statusPath)' could not be retrieved even after $($MaxRetries) retries." + } + + return $asyncOperation +} + +<# +.SYNOPSIS +Gets HTTP header values from a HTTP response. + +.DESCRIPTION +Helper method to extract HTTP header values from a HTTP response. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER HttpResponse +The HTTP response. + +.PARAMETER HeaderName +The name of the HTTP header. + +.EXAMPLE +$statusUrl = $HttpResponse | Get-HttpResponseHeaderValues -HeaderName "Azure-AsyncOperation" | Select-Object -First 1 +#> +function Get-HttpResponseHeaderValues { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [Microsoft.Azure.Commands.Profile.Models.PSHttpResponse]$HttpResponse, + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string]$HeaderName + ) + + $headerValues = New-Object System.Collections.Generic.List[string] + $httpResponse.Headers.TryGetValues($HeaderName, [ref] $headerValues) > $null + return $headerValues +} \ No newline at end of file diff --git a/tests/utils/Test.Utils.psm1 b/tests/utils/Test.Utils.psm1 new file mode 100644 index 0000000000..d7cbbbe0a6 --- /dev/null +++ b/tests/utils/Test.Utils.psm1 @@ -0,0 +1,250 @@ +Import-Module -Name Az.Resources + +<# +.SYNOPSIS +Cleans up any Azure resources created during the test. + +.DESCRIPTION +Cleans up any Azure resources created during the test. If any clean-up operation fails, the whole test will fail. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER CleanUp +The script block specifying the clean-up operations. + +.EXAMPLE +AzCleanUp { + Remove-AzResourceGroup -Name $ResourceGroup.ResourceGroupName -Force +} +#> +function AzCleanUp { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [ScriptBlock] $CleanUp + ) + + try { + # Remember $ErrorActionPreference. + $errorAction = $ErrorActionPreference + + # Stop clean-up on errors, since $ErrorActionPreference defaults to 'Continue' in PowerShell. + $ErrorActionPreference = "Stop" + + # Execute clean-up script. + $CleanUp.Invoke() + + # Reset $ErrorActionPreference to previous value. + $ErrorActionPreference = $errorAction + } + catch { + throw "Clean-up failed with message: '$($_)'" + } +} + +<# +.SYNOPSIS +Retries the test on transient errors. + +.DESCRIPTION +Retries the script block when a transient errors occurs during test execution. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER Retry +The script block specifying the test. + +.PARAMETER MaxRetries +The maximum amount of retries in case of transient errors (Default: 3 times). + +.EXAMPLE +AzRetry { + # When a dedicated resource group should be created for the test + if ($ResourceGroup) { + try { + $resourceGroup = New-ResourceGroupTest + Invoke-Command -ScriptBlock $Test -ArgumentList $resourceGroup + } + finally { + # Stops on failures during clean-up + CleanUp { + Remove-AzResourceGroup -Name $ResourceGroup.ResourceGroupName -Force -AsJob + } + } + } + else { + Invoke-Command -ScriptBlock $Test + } +} +#> +function AzRetry { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [ScriptBlock] $Retry, + [Parameter()] + [ValidateRange(1, [ushort]::MaxValue)] + [ushort]$MaxRetries = 3 + ) + + $retries = 0 + do { + try { + $Retry.Invoke() + + # Exit loop when no exception was thrown. + break + } + catch { + # Determine root cause exception. + $innermostException = Get-InnermostException $_.Exception + + # Rethrow exception when maximum retries are reached. + if ($retries -ge $MaxRetries) { + throw (New-Object System.Management.Automation.RuntimeException("Test failed even after $($MaxRetries) retries.", $_.Exception)) + } + # Retry when exception is caused by a transient error. + elseif ($innermostException -is [System.Threading.Tasks.TaskCanceledException]) { + Write-Host "Test failed due to a transient error. Retrying..." + $retries++ + continue + } + # Rethrow exception when it is caused by a non-transient error. + else { + throw $_.Exception + } + } + } while ($retries -le $MaxRetries) # Prevent endless loop, just defensive programming. +} + +<# +.SYNOPSIS +Wraps a test targeting Azure. + +.DESCRIPTION +Wraps a test targeting Azure. Also retries the test on transient errors. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER Test +The script block specifying the test. + +.PARAMETER ResourceGroup +Creates a dedicated resource group for the test, which is automatically cleaned up afterwards. + +.EXAMPLE +AzTest -ResourceGroup { + param($ResourceGroup) + + # Your test code leveraging the resource group, which is automatically cleaned up afterwards. +} + +.EXAMPLE +AzTest { + try { + # Your test code + } + finally { + # Don't forget to wrap your clean-up operations in AzCleanUp, otherwise failures during clean-up might remain unnoticed. + AzCleanUp { + # Your clean-up code + } + } +} +#> +function AzTest { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [ScriptBlock] $Test, + [Parameter()] + [Switch] $ResourceGroup + ) + + # Retries the test on transient errors. + AzRetry { + # When a dedicated resource group should be created for the test. + if ($ResourceGroup) { + try { + $resourceGroup = New-ResourceGroupTest + Invoke-Command -ScriptBlock $Test -ArgumentList $resourceGroup + } + finally { + # Stops on failures during clean-up. + AzCleanUp { + Remove-AzResourceGroup -Name $ResourceGroup.ResourceGroupName -Force -AsJob + } + } + } + else { + Invoke-Command -ScriptBlock $Test + } + } +} + +<# +.SYNOPSIS +Gets the innermost exception. + +.DESCRIPTION +Gets the innermost exception or root cause. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER Exception +The exception. + +.EXAMPLE +$innermostException = Get-InnermostException $_.Exception + +.EXAMPLE +$innermostException = Get-InnermostException -Exception $_.Exception +#> +function Get-InnermostException { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ValidateNotNull()] + [System.Exception] $Exception + ) + + # Innermost exceptions do not have an inner exception. + if ($null -eq $Exception.InnerException) { + return $Exception + } + else { + return Get-InnermostException $Exception.InnerException + } +} + +<# +.SYNOPSIS +Gets the default Azure region. + +.DESCRIPTION +Gets the default Azure region, e.g. northeurope. + +.EXAMPLE +$location = Get-ResourceLocationDefault +#> +function Get-ResourceLocationDefault { + return "uksouth" +} + +<# +.SYNOPSIS +Create a dedicated resource group for an automated test case. + +.DESCRIPTION +Create a dedicated resource group for an automated test case. The resource group name will be a GUID to avoid naming collisions. Used as is from https://github.com/fawohlsc/azure-policy-testing. + +.PARAMETER Location +The Azure region where the resource group is created, e.g. northeurope. When no location is provided, the default location is retrieved by using Get-ResourceLocationDefault. + +.EXAMPLE +$resourceGroup = New-ResourceGroupTest + +.EXAMPLE +$resourceGroup = New-ResourceGroupTest -Location "westeurope" +#> +function New-ResourceGroupTest { + param ( + [Parameter()] + [ValidateNotNullOrEmpty()] + [string]$Location = (Get-ResourceLocationDefault) + ) + + $resourceGroup = New-AzResourceGroup -Name (New-Guid).Guid -Location $Location + return $resourceGroup +} \ No newline at end of file diff --git a/utils/github/Set-AlzGitHubLabels.ps1 b/utils/github/Set-AlzGitHubLabels.ps1 new file mode 100644 index 0000000000..c04da515ce --- /dev/null +++ b/utils/github/Set-AlzGitHubLabels.ps1 @@ -0,0 +1,230 @@ +[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingWriteHost", "", Justification = "Coloured output required in this script")] + +<# +.SYNOPSIS + This script can be used to create the Azure Landing Zones (ALZ) standard GitHub labels to a GitHub repository. + +.DESCRIPTION + This script can be used to create the Azure Landing Zones (ALZ) standard GitHub labels to a GitHub repository. + + By default, the script will remove all pre-existing labels and apply the ALZ labels. However, this can be changed by using the -RemoveExistingLabels parameter and setting it to $false. The tool will also output the labels that exist in the repository before and after the script has run to a CSV file in the current directory, or a directory specified by the -OutputDirectory parameter. + + The ALZ labels to be created are documented here: TBC + +.NOTES + Please ensure you have specified the GitHub repositry correctly. The script will prompt you to confirm the repository name before proceeding. + +.COMPONENT + You must have the GitHub CLI installed and be authenticated to a GitHub account with access to the repository you are applying the labels to before running this script. + +.LINK + TBC + +.Parameter RepositoryName + The name of the GitHub repository to apply the labels to. + +.Parameter RemoveExistingLabels + If set to $true, the default value, the script will remove all pre-existing labels from the repository specified in -RepositoryName before applying the ALZ labels. If set to $false, the script will not remove any pre-existing labels. + +.Parameter UpdateAndAddLabelsOnly + If set to $true, the default value, the script will only update and add labels to the repository specified in -RepositoryName. If set to $false, the script will remove all pre-existing labels from the repository specified in -RepositoryName before applying the ALZ labels. + +.Parameter OutputDirectory + The directory to output the pre-existing and post-existing labels to in a CSV file. The default value is the current directory. + +.Parameter CreateCsvLabelExports + If set to $true, the default value, the script will output the pre-existing and post-existing labels to a CSV file in the current directory, or a directory specified by the -OutputDirectory parameter. If set to $false, the script will not output the pre-existing and post-existing labels to a CSV file. + +.Parameter GitHubCliLimit + The maximum number of labels to return from the GitHub CLI. The default value is 999. + +.Parameter LabelsToApplyCsvUri + The URI to the CSV file containing the labels to apply to the GitHub repository. The default value is https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/utils/github/alz-repo-standard-labels.csv. + +.Parameter NoUserPrompts + If set to $true, the default value, the script will not prompt the user to confirm they want to remove all pre-existing labels from the repository specified in -RepositoryName before applying the ALZ labels. If set to $false, the script will prompt the user to confirm they want to remove all pre-existing labels from the repository specified in -RepositoryName before applying the ALZ labels. + + This is useful for running the script in automation workflows + +.EXAMPLE + Create the ALZ labels in the repository Org/MyGitHubRepo and remove all pre-existing labels. + + Set-AlzGitHubLabels.ps1 -RepositoryName "Org/MyGitHubRepo" + +.EXAMPLE + Create the ALZ labels in the repository Org/MyGitHubRepo and do not remove any pre-existing labels, just overwrite any labels that have the same name. + + Set-AlzGitHubLabels.ps1 -RepositoryName "Org/MyGitHubRepo" -RemoveExistingLabels $false + +.EXAMPLE + Create the ALZ labels in the repository Org/MyGitHubRepo and output the pre-existing and post-existing labels to the directory C:\GitHubLabels. + + Set-AlzGitHubLabels.ps1 -RepositoryName "Org/MyGitHubRepo" -OutputDirectory "C:\GitHubLabels" + +.EXAMPLE + Create the ALZ labels in the repository Org/MyGitHubRepo and output the pre-existing and post-existing labels to the directory C:\GitHubLabels and do not remove any pre-existing labels, just overwrite any labels that have the same name. + + Set-AlzGitHubLabels.ps1 -RepositoryName "Org/MyGitHubRepo" -OutputDirectory "C:\GitHubLabels" -RemoveExistingLabels $false + +.EXAMPLE + Create the ALZ labels in the repository Org/MyGitHubRepo and do not create the pre-existing and post-existing labels CSV files and do not remove any pre-existing labels, just overwrite any labels that have the same name. + + Set-AlzGitHubLabels.ps1 -RepositoryName "Org/MyGitHubRepo" -RemoveExistingLabels $false -CreateCsvLabelExports $false + +.EXAMPLE + Create the ALZ labels in the repository Org/MyGitHubRepo and do not create the pre-existing and post-existing labels CSV files and do not remove any pre-existing labels, just overwrite any labels that have the same name. Finally, use a custom CSV file hosted on the internet to create the labels from. + + Set-AlzGitHubLabels.ps1 -RepositoryName "Org/MyGitHubRepo" -OutputDirectory "C:\GitHubLabels" -RemoveExistingLabels $false -CreateCsvLabelExports $false -LabelsToApplyCsvUri "https://example.com/csv/alz-github-labels.csv" + +#> + +#Requires -PSEdition Core + +[CmdletBinding()] +param ( + [Parameter(Mandatory = $true)] + [string]$RepositoryName, + + [Parameter(Mandatory = $false)] + [bool]$RemoveExistingLabels = $true, + + [Parameter(Mandatory = $false)] + [bool]$UpdateAndAddLabelsOnly = $true, + + [Parameter(Mandatory = $false)] + [bool]$CreateCsvLabelExports = $true, + + [Parameter(Mandatory = $false)] + [string]$OutputDirectory = (Get-Location), + + [Parameter(Mandatory = $false)] + [int]$GitHubCliLimit = 999, + + [Parameter(Mandatory = $false)] + [string]$LabelsToApplyCsvUri = "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/utils/github/alz-repo-standard-labels.csv", + + [Parameter(Mandatory = $false)] + [bool]$NoUserPrompts = $false +) + +# Check if the GitHub CLI is installed +$GitHubCliInstalled = Get-Command gh -ErrorAction SilentlyContinue +if ($null -eq $GitHubCliInstalled) { + throw "The GitHub CLI is not installed. Please install the GitHub CLI and try again." +} +Write-Host "The GitHub CLI is installed..." -ForegroundColor Green + +# Check if GitHub CLI is authenticated +$GitHubCliAuthenticated = gh auth status +if ($null -eq $GitHubCliAuthenticated) { + throw "Not authenticated to GitHub. Please authenticate to GitHub using the GitHub CLI, `gh auth login`, and try again." +} +Write-Host "Authenticated to GitHub..." -ForegroundColor Green + +# Check if GitHub repository name is valid +$GitHubRepositoryNameValid = $RepositoryName -match "^[a-zA-Z0-9-]+/[a-zA-Z0-9-]+$" +if ($false -eq $GitHubRepositoryNameValid) { + throw "The GitHub repository name $RepositoryName is not valid. Please check the repository name and try again. The format must be /" +} + +# List GitHub repository provided and check it exists +$GitHubRepository = gh repo view $RepositoryName +if ($null -eq $GitHubRepository) { + throw "The GitHub repository $RepositoryName does not exist. Please check the repository name and try again." +} +Write-Host "The GitHub repository $RepositoryName exists..." -ForegroundColor Green + +# PRE - Get the current GitHub repository labels and export to a CSV file in the current directory or where -OutputDirectory specifies if set to a valid directory path and the directory exists or can be created if it does not exist already +if ($RemoveExistingLabels -or $UpdateAndAddLabelsOnly) { + Write-Host "Getting the current GitHub repository (pre) labels for $RepositoryName..." -ForegroundColor Yellow + $GitHubRepositoryLabels = gh label list -R $RepositoryName -L $GitHubCliLimit --json name,description,color + + if ($null -ne $GitHubRepositoryLabels -and $CreateCsvLabelExports -eq $true) { + $csvFileNamePathPre = "$OutputDirectory\$($RepositoryName.Replace('/', '_'))-Labels-Pre-$(Get-Date -Format FileDateTime).csv" + Write-Host "Exporting the current GitHub repository (pre) labels for $RepositoryName to $csvFileNamePathPre" -ForegroundColor Yellow + $GitHubRepositoryLabels | ConvertFrom-Json | Export-Csv -Path $csvFileNamePathPre -NoTypeInformation + } +} + +# Remove all pre-existing labels if -RemoveExistingLabels is set to $true and user confirms they want to remove all pre-existing labels +if ($null -ne $GitHubRepositoryLabels) { + $GitHubRepositoryLabelsJson = $GitHubRepositoryLabels | ConvertFrom-Json + if ($RemoveExistingLabels -eq $true -and $NoUserPrompts -eq $false -and $UpdateAndAddLabelsOnly -eq $false) { + $RemoveExistingLabelsConfirmation = Read-Host "Are you sure you want to remove all $($GitHubRepositoryLabelsJson.Count) pre-existing labels from $($RepositoryName)? (Y/N)" + if ($RemoveExistingLabelsConfirmation -eq "Y") { + Write-Host "Removing all pre-existing labels from $RepositoryName..." -ForegroundColor Yellow + $GitHubRepositoryLabels | ConvertFrom-Json | ForEach-Object { + Write-Host "Removing label $($_.name) from $RepositoryName..." -ForegroundColor DarkRed + gh label delete -R $RepositoryName $_.name --yes + } + } + } + if ($RemoveExistingLabels -eq $true -and $NoUserPrompts -eq $true -and $UpdateAndAddLabelsOnly -eq $false) { + Write-Host "Removing all pre-existing labels from $RepositoryName..." -ForegroundColor Yellow + $GitHubRepositoryLabels | ConvertFrom-Json | ForEach-Object { + Write-Host "Removing label $($_.name) from $RepositoryName..." -ForegroundColor DarkRed + gh label delete -R $RepositoryName $_.name --yes + } + } +} +if ($null -eq $GitHubRepositoryLabels) { + Write-Host "No pre-existing labels to remove or not selected to be removed from $RepositoryName..." -ForegroundColor Magenta +} + +# Check LabelsToApplyCsvUri is valid and contains a CSV content +Write-Host "Checking $LabelsToApplyCsvUri is valid..." -ForegroundColor Yellow +$LabelsToApplyCsvUriValid = $LabelsToApplyCsvUri -match "^https?://" +if ($false -eq $LabelsToApplyCsvUriValid) { + throw "The LabelsToApplyCsvUri $LabelsToApplyCsvUri is not valid. Please check the URI and try again. The format must be a valid URI." +} +Write-Host "The LabelsToApplyCsvUri $LabelsToApplyCsvUri is valid..." -ForegroundColor Green + +# Create ALZ lables from the ALZ labels CSV file stored on the web using the convertfrom-csv cmdlet +$alzLabelsCsv = Invoke-WebRequest -Uri $LabelsToApplyCsvUri | ConvertFrom-Csv + +# Check if the ALZ labels CSV file contains the following columns: Name, Description, HEX +$alzLabelsCsvColumns = $alzLabelsCsv | Get-Member -MemberType NoteProperty | Select-Object -ExpandProperty Name +$alzLabelsCsvColumnsValid = $alzLabelsCsvColumns -contains "Name" -and $alzLabelsCsvColumns -contains "Description" -and $alzLabelsCsvColumns -contains "HEX" +if ($false -eq $alzLabelsCsvColumnsValid) { + throw "The labels CSV file does not contain the required columns: Name, Description, HEX. Please check the CSV file and try again. It contains the following columns: $alzLabelsCsvColumns" +} +Write-Host "The labels CSV file contains the required columns: Name, Description, HEX" -ForegroundColor Green + +# Create the ALZ labels in the GitHub repository +Write-Host "Creating/Updating the $($alzLabelsCsv.Count) ALZ labels in $RepositoryName..." -ForegroundColor Yellow +$alzLabelsCsv | ForEach-Object { + if ($GitHubRepositoryLabelsJson.name -contains $_.name) { + Write-Host "The label $($_.name) already exists in $RepositoryName. Updating the label to ensure description and color are consitent..." -ForegroundColor Magenta + gh label create -R $RepositoryName "$($_.name)" -c $_.HEX -d $($_.Description) --force + } + else { + Write-Host "The label $($_.name) does not exist in $RepositoryName. Creating label $($_.name) in $RepositoryName..." -ForegroundColor Cyan + gh label create -R $RepositoryName "$($_.Name)" -c $_.HEX -d $($_.Description) --force + } +} + +# POST - Get the current GitHub repository labels and export to a CSV file in the current directory or where -OutputDirectory specifies if set to a valid directory path and the directory exists or can be created if it does not exist already +if ($CreateCsvLabelExports -eq $true) { + Write-Host "Getting the current GitHub repository (post) labels for $RepositoryName..." -ForegroundColor Yellow + $GitHubRepositoryLabels = gh label list -R $RepositoryName -L $GitHubCliLimit --json name,description,color + + if ($null -ne $GitHubRepositoryLabels) { + $csvFileNamePathPre = "$OutputDirectory\$($RepositoryName.Replace('/', '_'))-Labels-Post-$(Get-Date -Format FileDateTime).csv" + Write-Host "Exporting the current GitHub repository (post) labels for $RepositoryName to $csvFileNamePathPre" -ForegroundColor Yellow + $GitHubRepositoryLabels | ConvertFrom-Json | Export-Csv -Path $csvFileNamePathPre -NoTypeInformation + } +} + +# If -RemoveExistingLabels is set to $true and user confirms they want to remove all pre-existing labels check that only the alz labels exist in the repository +if ($RemoveExistingLabels -eq $true -and ($RemoveExistingLabelsConfirmation -eq "Y" -or $NoUserPrompts -eq $true) -and $UpdateAndAddLabelsOnly -eq $false) { + Write-Host "Checking that only the ALZ labels exist in $RepositoryName..." -ForegroundColor Yellow + $GitHubRepositoryLabels = gh label list -R $RepositoryName -L $GitHubCliLimit --json name,description,color + $GitHubRepositoryLabels | ConvertFrom-Json | ForEach-Object { + if ($alzLabelsCsv.Name -notcontains $_.name) { + throw "The label $($_.name) exists in $RepositoryName but is not in the CSV file." + } + } + Write-Host "Only the CSV labels exist in $RepositoryName..." -ForegroundColor Green +} + +Write-Host "The CSV labels have been created/updated in $RepositoryName..." -ForegroundColor Green diff --git a/utils/github/alz-repo-standard-labels.csv b/utils/github/alz-repo-standard-labels.csv new file mode 100644 index 0000000000..163a44f127 --- /dev/null +++ b/utils/github/alz-repo-standard-labels.csv @@ -0,0 +1,51 @@ +Name,Description,HEX +Area: Accelerator :zap:,Issues / PR's related to Accelerators,ECBA82 +Area: Bicep Registry :file_cabinet:,Issues / PR's related to Bicep Registry,81C14B +Area: Diagnostic Settings :test_tube:,Issues / PR's related to Diagnostic Settings,2E933C +Area: Logging & Automation :camera:,Issues / PR's related to Logging & Automation,BFCC94 +Area: Management Groups :beers:,Issues / PR's related to Management Groups,204E4A +Area: MDFC :lock:,Issues / PR's related to Microsoft Defender for Cloud,B24C63 +Area: Networking :globe_with_meridians:,Issues / PR's related to Networking,5438DC +Area: Non-Resource Specific :label:,"Things like tags, location etc.",357DED +Area: Orchestration Modules :recycle:,Modules that wrap/orchestrate other modules,56EEF4 +Area: Policy :pencil:,Issues / PR's related to Policy,32E875 +Area: RBAC :passport_control:,Issues / PR's related to RBAC,C1EEFF +Area: Sovereign :alien:,"GH issues raised for sovereign clouds (US Gov, China)",655356 +Needs: Attention :wave:,Needs attention from the maintainers,E99695 +Needs: Author Feedback :ear:,Needs the author to provide feedback,F18A07 +Needs: External Changes :gear:,When an issue/PR requires changes that are outside of the control of this repo,DE389D +Needs: More Evidence :balance_scale:,We are looking for more evidence to make a decision on this,F64872 +Needs: Triage :mag:,Needs triaging by the team,FBCA04 +Needs: Upstream Policy Changes :arrows_clockwise:,Upstream ESLZ repo policy changes required,513B3C +Status: Awaiting Release To Be Cut :scissors:,"This is fixed in the main branch but not in the latest release, will be fixed with next release cut",017438 +Status: Blocked :brick:,Something is blocking us from fixing this,D8DBE2 +Status: Do Not Merge :no_entry:,Do not merge PRs with this label attached as they are not ready etc.,C62A4B +Status: External Contribution :earth_americas:,This is being worked on by someone outside of the owners/contributors or core team,D8FA2C +Status: Fixed :white_check_mark:,Auto label applied when issue fixed by merged PR,ededed +Status: Help Wanted :sos:,Extra attention is needed,008672 +Status: In PR :point_right:,This is when an issue is due to be fixed in an open PR,344966 +Status: Invalid :x:,This doesn't seem right,e4e669 +Status: Long Term :hourglass:,"We will do it, but will take a longer amount of time due to complexity/priorities",B60205 +Status: Module Orphaned :eyes:,The module has no owner and is therefore orphaned at this time,A9BCD0 +Status: No Recent Activity :zzz:,"No recent activity, will eb closed automatically soon unless modified",58A4B0 +Status: PR Merged :arrow_up:,Issue has been merged in a PR,373F51 +Status: PR Modified Workflows :warning:,PR contains changes to GitHub Actions,DAA49A +Status: PR Referenced :link:,Issue is referenced in a PR,BF4E30 +Status: PR Safe To Test :ballot_box_with_check:,PRs can run deployment tests,78FECF +Status: Waiting For Response :speech_balloon:,Waiting for a response ,A11692 +Status: Wont Fix :-1:,This will not be worked on,821028 +Type: Auto-Merge :heavy_check_mark:,Automatically merges,17183B +Type: Bot :robot_face:,Created by an actual robot,7B7554 +Type: Bug :beetle:,Something isn't working,d73a4a +Type: Documentation :page_facing_up:,Improvements or additions to documentation,0075ca +Type: Duplicate :palms_up_together:,This issue or pull request already exists,cfd3d7 +Type: Enhancement :sparkles:,New feature or request,FFE347 +Type: External Contribution :construction_worker:,This issue or pull request already exists,DEC1FF +Type: Feature Request :heavy_plus_sign:,New feature or request,a2eeef +Type: Good First Issue :green_heart:,Good for newcomers,5CC8FF +Type: Hygiene :broom:,"Things related to testing, issue triage etc.",7D7ABC +Type: New Module Proposal :bulb:,A new module for AVM is being proposed,17016A +Type: Question / Feedback :question::ear:,Further information is requested or just some feedback,CB6BA2 +Type: Resolution Duplicate :palms_up_together:,Issue is a duplicate and will be closed,6457A6 +Type: Security Bug :lock:,This is a security bug,344966 +Type: Upstream Dependency :arrow_up:,something must happen before start something else,E6AACE diff --git a/workloads/AKS/README.md b/workloads/AKS/README.md deleted file mode 100644 index cc09cc4352..0000000000 --- a/workloads/AKS/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Deploy AKS into an online landing zone - -The ARM template provided in this folder can be used to create new AKS clusters into the online landing zones (i.e., no requirement for hybrid connectivity, nor connectivity to corp network). - -## Pre-requsites - -The user/developer who's deploying this ARM template must be an Owner - or have Microsoft.Authorization/roleAssignments/write permission on landing zone subscription since a managed identity is being created and granted permission to the resources. - -## Policy Driven Governance - -One of the design principles of Enterprise-Scale is to use Policy Driven Governance to ensure autonomy and a secure, compliant goal state for the Azure platform and the landing zones (subscriptions). When AKS and requisite resources are being deployed, these policies will ensure a compliant, secure, and governed AKS cluster. - -## What will be deployed? - -By default, all recommendations are enabled and you must explicitly disable them if you don't want it to be deployed and configured. - -- A new AKS cluster into a new or existing Resource Group in the online landing zone subscription -- Azure Policies that will enable autonomy for the platform and the landing zones. -- Azure Container Registry -- Kubenet default virtual network components (the cluster will not be able to connect to corp network) -- Container Monitoring enabled by Azure Monitor and Log Analytics. Create a new - or use an existing Log Analytics workspace for application observability. Note that platform related logs should be captured centrally and be enabled via Azure Policy. - -| Landing zone | ARM Template | -|:-------------------------|:-------------| -| Online |[![Deploy To Azure](https://learn.microsoft.com/en-us/azure/templates/media/deploy-to-azure.svg)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fworkloads%2FAKS%2FarmTemplates%2Fonline-aks.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FEnterprise-Scale%2Fmain%2Fworkloads%2FAKS%2FarmTemplates%2Fportal-online-aks.json) | \ No newline at end of file diff --git a/workloads/AKS/armTemplates/online-aks.json b/workloads/AKS/armTemplates/online-aks.json deleted file mode 100644 index 2afbb125da..0000000000 --- a/workloads/AKS/armTemplates/online-aks.json +++ /dev/null @@ -1,259 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceName": { - "type": "string", - "metadata": { - "description": "The name of the Managed Cluster resource." - } - }, - "location": { - "type": "string", - "metadata": { - "description": "The location of AKS resource." - } - }, - "dnsPrefix": { - "type": "string", - "metadata": { - "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN." - } - }, - "osDiskSizeGB": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize." - }, - "minValue": 0, - "maxValue": 1023 - }, - "kubernetesVersion": { - "type": "string", - "defaultValue": "1.18.10", - "metadata": { - "description": "The version of Kubernetes." - } - }, - "networkPlugin": { - "type": "string", - "defaultValue": "kubenet", - "allowedValues": [ - "azure", - "kubenet" - ], - "metadata": { - "description": "Network plugin used for building Kubernetes network." - } - }, - "enableAzurePolicy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Boolean flag to turn on and off Azure Policy addon." - } - }, - "enableOmsAgent": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Boolean flag to turn on and off omsagent addon." - } - }, - "useExistingWorkspace": { - "type": "string", - "allowedValues": [ - "Yes", - "No" - ], - "defaultValue": "No" - }, - "omsWorkspaceId": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Specify the resource id of the OMS workspace." - } - }, - "vmSize": { - "type": "string", - "defaultValue": "Standard_DS2_v2" - }, - "enableAcr": { - "type": "bool", - "defaultValue": false - }, - "identity": { - "type": "object", - "defaultValue": { - "value": { - "type": "SystemAssigned" - } - } - } - }, - "variables": { - "acrName": "[concat(parameters('resourceName'), 'acr')]" - }, - "resources": [ - { - "apiVersion": "2020-09-01", - "type": "Microsoft.ContainerService/managedClusters", - "location": "[parameters('location')]", - "name": "[parameters('resourceName')]", - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', concat(parameters('resourceName'), subscription().subscriptionId))]", - "containerSolutionToExistingLa" - ], - "properties": { - "kubernetesVersion": "[parameters('kubernetesVersion')]", - "enableRBAC": true, - "dnsPrefix": "[parameters('dnsPrefix')]", - "agentPoolProfiles": [ - { - "name": "agentpool", - "osDiskSizeGB": "[parameters('osDiskSizeGB')]", - "count": 3, - "vmSize": "[parameters('vmSize')]", - "osType": "Linux", - "storageProfile": "ManagedDisks", - "type": "VirtualMachineScaleSets", - "mode": "System", - "maxPods": 30, - "availabilityZones": [ - "1", - "2", - "3" - ] - } - ], - "networkProfile": { - "loadBalancerSku": "standard", - "networkPlugin": "[if(equals(parameters('networkPlugin'), 'none'), json(''), parameters('networkPlugin'))]" - }, - "aadProfile": { - "managed": true - }, - "apiServerAccessProfile": { - "enablePrivateCluster": false - }, - "addonProfiles": { - "httpApplicationRouting": { - "enabled": false - }, - "azurePolicy": { - "enabled": "[parameters('enableAzurePolicy')]" - }, - "omsagent": { - "enabled": "[parameters('enableOmsAgent')]", - "config": { - "logAnalyticsWorkspaceResourceID": "[if(equals(parameters('useExistingWorkspace'), 'No'), resourceId('Microsoft.OperationalInsights/workspaces', concat(parameters('resourceName'), subscription().subscriptionId)), parameters('omsWorkspaceId').id)]" - } - } - } - } - }, - { - "condition": "[and(not(equals(parameters('useExistingWorkspace'), 'Yes')), empty(parameters('omsWorkspaceId')))]", - "type": "Microsoft.OperationalInsights/workspaces", - "location": "[resourceGroup().location]", - "apiVersion": "2020-03-01-preview", - "name": "[concat(parameters('resourceName'), subscription().subscriptionId)]", - "properties": { - "sku": { - "name": "Standalone" - } - } - }, - { - "condition": "[and(not(equals(parameters('useExistingWorkspace'), 'Yes')), empty(parameters('omsWorkspaceId')))]", - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "location": "[resourceGroup().location]", - "name": "[concat('ContainerInsights', '(', parameters('resourceName'), subscription().subscriptionId, ')')]", - "dependsOn": [ - "[resourceId('Microsoft.OperationalInsights/workspaces', concat(parameters('resourceName'), subscription().subscriptionId))]" - ], - "properties": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', concat(parameters('resourceName'), subscription().subscriptionId))]" - }, - "plan": { - "name": "[concat('ContainerInsights', '(', parameters('resourceName'), subscription().subscriptionId, ')')]", - "product": "[concat('OMSGallery/', 'ContainerInsights')]", - "promotionCode": "", - "publisher": "Microsoft" - } - }, - { - "condition": "[and(equals(parameters('useExistingWorkspace'), 'Yes'), not(empty(parameters('omsWorkspaceId'))))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2019-05-10", - "name": "containerSolutionToExistingLa", - "resourceGroup": "[if(not(empty(parameters('omsWorkspaceId'))), split(parameters('omsWorkspaceId').id, '/')[4], 'na')]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [ - { - "type": "Microsoft.OperationsManagement/solutions", - "apiVersion": "2015-11-01-preview", - "name": "[concat('ContainerInsights', '(', split(parameters('omsWorkspaceId').id, '/')[8], ')')]", - "location": "[resourceGroup().location]", - "properties": { - "workspaceResourceId": "[parameters('omsWorkspaceId').id]" - }, - "plan": { - "name": "[concat('ContainerInsights', '(', split(parameters('omsWorkspaceId').id, '/')[8], ')')]", - "product": "[concat('OMSGallery/', 'ContainerInsights')]", - "promotionCode": "", - "publisher": "Microsoft" - } - } - ] - } - } - }, - { - "condition": "[parameters('enableAcr')]", - "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2019-05-01", - "name": "[variables('acrName')]", - "location": "[resourceGroup().location]", - "sku": { - "name": "Standard" - }, - "properties": { - "adminUserEnabled": false - } - }, - { - "condition": "[parameters('enableAcr')]", - "type": "Microsoft.ContainerRegistry/registries/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(variables('acrName'), '/Microsoft.Authorization/', 'da4b1df1-af30-4020-8914-89ba622bb05c')]", - "dependsOn": [ - "[resourceId('Microsoft.ContainerRegistry/registries/', variables('acrName'))]", - "[resourceId('Microsoft.ContainerService/managedClusters/', parameters('resourceName'))]" - ], - "properties": { - "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters/', parameters('resourceName')), '2020-09-01').identityProfile.kubeletidentity.objectId]", - "principalType": "ServicePrincipal", - "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "scope": "[resourceId('Microsoft.ContainerRegistry/registries/', variables('acrName'))]" - } - } - ], - "outputs": { - "controlPlaneFQDN": { - "type": "string", - "value": "[reference(concat('Microsoft.ContainerService/managedClusters/', parameters('resourceName'))).fqdn]" - } - } -} \ No newline at end of file diff --git a/workloads/AKS/armTemplates/portal-online-aks.json b/workloads/AKS/armTemplates/portal-online-aks.json deleted file mode 100644 index cd09bb10e2..0000000000 --- a/workloads/AKS/armTemplates/portal-online-aks.json +++ /dev/null @@ -1,265 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "basics": [ - {} - ], - "steps": [ - { - "name": "aksBasics", - "label": "AKS Setup (Online)", - "elements": [ - { - "name": "infoBox1", - "type": "Microsoft.Common.InfoBox", - "visible": true, - "options": { - "icon": "Info", - "text": "Configure the basic settings for your AKS cluster that will be deployed to an online landing zone. Note that recommended settings are enabled by default, such as RBAC and Azure Policy.", - "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization#subscription-organization-and-governance" - } - }, - { - "name": "aksName", - "type": "Microsoft.Common.TextBox", - "label": "AKS cluster name", - "placeholder": "", - "defaultValue": "", - "toolTip": "Use only allowed characters", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long." - }, - "visible": true - }, - { - "name": "aksDns", - "type": "Microsoft.Common.TextBox", - "label": "AKS DNS prefix", - "placeholder": "", - "defaultValue": "", - "toolTip": "Use only allowed characters", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long." - }, - "visible": true - }, - { - "name": "aksVersion", - "type": "Microsoft.Common.DropDown", - "label": "AKS version", - "placeholder": "", - "defaultValue": "1.18.10 (default)", - "toolTip": "", - "constraints": { - "allowedValues": [ - { - "label": "1.19.3", - "value": "1.19.3" - }, - { - "label": "1.19.1", - "value": "1.19.1" - }, - { - "label": "1.18.10 (default)", - "value": "1.18.10" - }, - { - "label": "1.17.13", - "value": "1.17.13" - } - ], - "required": true - }, - "visible": true - }, - { - "name": "aksSize", - "type": "Microsoft.Compute.SizeSelector", - "label": "AKS cluster size", - "toolTip": "", - "recommendedSizes": [ - "Standard_D1", - "Standard_D2", - "Standard_D3" - ], - "constraints": { - "allowedSizes": [], - "excludedSizes": [], - "numAvailabilityZonesRequired": 3, - "zone": "3" - }, - "options": { - "hideDiskTypeFilter": false - }, - "osPlatform": "Linux", - "count": 2, - "visible": true - }, - { - "name": "aksIdentity", - "type": "Microsoft.ManagedIdentity.IdentitySelector", - "label": "Managed Identity Configuration", - "toolTip": { - "systemAssignedIdentity": "Enable system assigned identity for AKS to manage cloud resources attached to the cluster." - }, - "defaultValue": { - "systemAssignedIdentity": "On" - }, - "options": { - "hideSystemAssignedIdentity": false, - "hideUserAssignedIdentity": true - }, - "visible": true - }, - { - "name": "aksRbac", - "type": "Microsoft.Common.OptionsGroup", - "label": "AKS authentication and authorization", - "defaultValue": "Role-based access control (RBAC)", - "toolTip": "", - "constraints": { - "allowedValues": [ - { - "label": "Role-based access control (RBAC)", - "value": true - } - ], - "required": true - }, - "visible": true - } - ] - }, - { - "name": "aksIntegration", - "label": "AKS Integration", - "elements": [ - { - "name": "acrText", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "Azure Container Registry enables seamless deployments from a private image registry. Select the checkbox to connect your AKS cluster.", - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/aks/cluster-container-registry-integration" - } - } - }, - { - "name": "aksAcr", - "type": "Microsoft.Common.CheckBox", - "label": "Enable Azure Container Registry.", - "constraints": { - "required": false, - "validationMessage": "Select if Azure Container Registry should be created." - } - }, - { - "name": "monitoringText", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "Azure Monitor provides a curated monitoring experience for your AKS cluster. Select whether to use an existing Log Analytics workspace in the landing zone or create a new workspace for this AKS cluster.", - "link": { - "label": "Learn more", - "uri": "https://azure.microsoft.com/blog/monitoring-azure-kubernetes-service-aks-with-azure-monitor-container-health-preview/" - } - } - }, - { - "name": "aksMon", - "type": "Microsoft.Common.OptionsGroup", - "label": "Enable AKS monitoring", - "defaultValue": "Yes", - "toolTip": "", - "constraints": { - "allowedValues": [ - { - "label": "Yes", - "value": true - }, - { - "label": "No", - "value": false - } - ], - "required": true - }, - "visible": true - }, - { - "name": "aksWorkspace", - "type": "Microsoft.Common.OptionsGroup", - "label": "Use existing Log Analytics workspace", - "defaultValue": "No", - "toolTip": "", - "constraints": { - "allowedValues": [ - { - "label": "Yes", - "value": "Yes" - }, - { - "label": "No", - "value": "No" - } - ], - "required": true - }, - "visible": "[equals(steps('aksIntegration').aksMon, true)]" - }, - { - "name": "workspaceSelector", - "type": "Microsoft.Solutions.ResourceSelector", - "label": "Select Log Analytics workspace", - "resourceType": "Microsoft.OperationalInsights/workspaces", - "visible": "[equals(steps('aksIntegration').aksWorkspace, 'Yes')]", - "required": true, - "options": { - "filter": { - "subscription": "onBasics", - "location": "onBasics" - } - } - } - ] - }, - { - "name": "tags", - "label": "Tags", - "elements": [ - { - "name": "tagsByResource", - "type": "Microsoft.Common.TagsByResource", - "resources": [ - "Microsoft.ContainerRegistry/registries", - "Microsoft.ContainerService/managedClusters" - ] - } - ] - } - ], - "outputs": { - "dnsPrefix": "[steps('aksBasics').aksDns]", - "resourceName": "[steps('aksBasics').aksName]", - "location": "[location()]", - "vmSize": "[steps('aksBasics').aksSize]", - "identity": "[steps('aksBasics').aksIdentity]", - "kubernetesVersion": "[steps('aksBasics').aksVersion]", - "enableRBAC": "[steps('aksBasics').aksRbac]", - "enableAcr": "[steps('aksIntegration').aksAcr]", - "enableOmsAgent": "[steps('aksIntegration').aksMon]", - "useExistingWorkspace": "[steps('aksIntegration').aksWorkspace]", - "omsWorkspaceId": "[steps('aksIntegration').workspaceSelector]", - "tagsByResource": "[steps('tags').tagsByResource]" - } - } -} \ No newline at end of file diff --git a/workloads/ARO/README.md b/workloads/ARO/README.md deleted file mode 100644 index 747aac965b..0000000000 --- a/workloads/ARO/README.md +++ /dev/null @@ -1,154 +0,0 @@ -# Deploy Azure Red Hat OpenShift (ARO) in Enterprise-Scale landing zones - -This article provides prescriptive guidance for deploying Azure Red Hat OpenShift (ARO) clusters in Enterprise-Scale landing zones environment. - -Additionally ARM templates and sample scripts are provided to support a deployment. - -## Pre-requsites - -Before getting started with this guidance, ensure that: - -- Enterprise-Scale landing zones has been deployed by using the Hub and Spoke reference implementation or Enterprise-Scale landing zones was deployed as per [architectural guidance](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/) in the Cloud Adoption Framework. -- There is at least one landing zone under the corp management group where ARO cluster will be deployed, which is peered to the hub VNet. -- Within Enterprise-Scale landing zones there is a segregation between platform and workload/application specific roles. For this guide the segregation of duties is fully respected and it is mentioned which role is able to perform the actions. -- This guide follows the principle of least-privilege by assign permissions to the user installing ARO or the respective SPN's. - -Before ARO is deployed to a landing zone, ensure the following requirements are met: - -### Identity - -The following identities are required when installing an ARO cluster following the principle of least-privilege via Azure CLI and ARM template deployment: - -| Identity | Required privileges | Scope or resource | Description | -|:---------|:--------------------|:------------------|:--------| -| ARO cluster SPN | Network contributor | LZ VNet | SPN required during ARO installation | -| ARO first party SPN | Network contributor | LZ VNet and UDR | Azure Red Hat OpenShift RP SPN | -| User for ARO installation | Contributor | Cluster RG | Azure AD user identity performing the installation | -| User for ARO installation | Reader | Landing zone subscription | Azure AD user identity performing the installation | - -> Note: SPN has to be dedicated to a single ARO cluster and can't be shared. - -The following script can be used by the **Platform team** to prepare the landing zone for an ARO cluster installation: - -``` bash - # Variable declaration - RESOURCE_GROUP= - CLUSTER_RESOURCE_GROUP= - NETWORK_RESOURCE_GROUP= - VNET_NAME= - SUBSCRIPTION_ID= - ARO_FP_SP=f1dd0a37-89c6-4e07-bcd1-ffd3d43d8875 - ARO_INSTALL_USER= - CLUSTER= - CLUSTER_SPN_NAME=${CLUSTER}-spn - - # Creates the cluster resource group - az group create -g "$RESOURCE_GROUP" -l "$LOCATION" - - # Create cluster SPN - az ad sp create-for-rbac --name $CLUSTER_SPN_NAME --skip-assignment > spn.json - - # Cluster SPN is contributor on vNet - az role assignment create --assignee $(cat spn.json | jq -r .appId) --role "network contributor" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${NETWORK_RESOURCE_GROUP}/providers/Microsoft.Network/virtualNetworks/${VNET_NAME} - - # Azure Red Hat Openshift account is contributor on vNet - az role assignment create --assignee ${ARO_FP_SP} --role "network contributor" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${NETWORK_RESOURCE_GROUP}/providers/Microsoft.Network/virtualNetworks/${VNET_NAME} - - # User who will be installing ARO is contributor on RG and reader on the subscription (Please note that no owner permission is required) - az role assignment create --assignee ${ARO_INSTALL_USER} --role "Contributor" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP} - az role assignment create --assignee ${ARO_INSTALL_USER} --role "Reader" --scope /subscriptions/${SUBSCRIPTION_ID} - - # Create UDR for ARO subnets. The subnets should have outbound connectivity to specific ARO endpoints. For example the UDR could point to the Firewall / Hub router. - az network route-table create -g $NETWORK_RESOURCE_GROUP --name aro-udr - - az network route-table route create -g $NETWORK_RESOURCE_GROUP --name aro-udr --route-table-name aro-udr --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address - - # Azure Red Hat Openshift account is contributor on UDR - az role assignment create --assignee ${ARO_FP_SP} --role "network contributor" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${NETWORK_RESOURCE_GROUP}/providers/Microsoft.Network/routeTables/aro-udr - - # Cluster SPN is contributor on UDR - az role assignment create --assignee $(cat spn.json | jq -r .appId) --role "network contributor" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${NETWORK_RESOURCE_GROUP}/providers/Microsoft.Network/routeTables/aro-udr -``` - -### Azure Policy consideration - -Enterprise-Scale landing zones manages compliant resource and landing zone configuration via Azure Policy. ARO is deployed as a Managed Application, which includes certain configuration that conflicts with existing Policy assignments. The following enterprise-scale landing zone policy assignments conflicting with the deployment of ARO: - -- Subnets should have a Network Security Group (-> ARO installer deploys and manages own default NSG) -- Public network access should be disabled for PaaS services (-> ARO installer deploys and manages Azure Storage Accounts) -- Deny creation of Public IP Addresses (-> ARO installer creates a public IP address for egress) - -**Platform team** can create [exemptions](https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure) for these existing Policy assignments. - -### Network - -The following network configuration needs to be applied by the **Platform/NetOps team** in the target landing zone. Please note that, in the Enterprise-Scale context, the landing zone VNet has been already deployed in the subscription and connected to the hub VNet via VNet peering, hence only the following configuration is required: - -| Resource | Description | -|:--------------|:------------------------| -| Master-subnet | Subnet for master nodes | -| Worker-subnet | Subnet for worker nodes | -| Private link service network policies | Must be disabled on the Master-Subnet | -| Azure Container Registry (ACR) Service Endpoint | Both subnets, Master-Subnet and Worker-Subnet require Service Endpoint for ACR | - -> Note: Make sure that no NSG is linked to the subnets. ARO installer will fail if there are NSGs attached to the ARO subnets. NSG are managed resources in the ARO context. - -Commands to create the required subnets with the required configuration for an ARO cluster deployment: - -```shell -# Variables for the previous section wil be required -az network vnet subnet create \ - -g "$NETWORK_RESOURCE_GROUP" \ - --vnet-name "$VNET_NAME" \ - --route-table aro-udr \ - -n "$CLUSTER-master" \ - --address-prefixes 10.10.1.0/24 \ - --service-endpoints Microsoft.ContainerRegistry - -az network vnet subnet create \ - -g "$NETWORK_RESOURCE_GROUP" \ - --vnet-name "$VNET_NAME" \ - --route-table aro-udr - -n "$CLUSTER-worker" \ - --address-prefixes 10.10.2.0/24 \ - --service-endpoints Microsoft.ContainerRegistry - -az network vnet subnet update \ - -g "$NETWORK_RESOURCE_GROUP" \ - --vnet-name "$VNET_NAME" \ - -n "$CLUSTER-master" \ - --disable-private-link-service-network-policies true - -``` - -### Firewall rule configuration - -Firewall configuration documented [here](https://learn.microsoft.com/en-us/azure/openshift/howto-restrict-egress) needs to be applied by the Platform/NetOps team in Azure Firewall (or third party NVA) in the connectivity subscription. - -It is essential your firewall can resolve DNS names so its can resolve the endpoints needed by Azure RedHat Openshift. Specific steps for Azure Firewall are here https://learn.microsoft.com/en-us/azure/firewall/dns-settings - -## Deploy Azure Red Hat OpenShift using Azure CLI - -The following command should be executed by the **landing zone user**, which will deploy the new ARO cluster into an existing landing zone VNet. -```shell -# Variables for the previous section wil be required - -# Private cluster -az aro create --name "$CLUSTER" \ - --resource-group "$RESOURCE_GROUP" \ - --cluster-resource-group "$CLUSTER_RESOURCE_GROUP" \ - --master-subnet "$CLUSTER-master" \ - --worker-subnet "$CLUSTER-worker" \ - --apiserver-visibility Private \ - --client-id $(cat spn.json | jq -r .appId) \ - --client-secret $(cat spn.json | jq -r .password) \ - --ingress-visibility Private \ - --pull-secret \ - --vnet "$VNET_NAME" \ - --vnet-resource-group "$NETWORK_RESOURCE_GROUP" - -``` - -## Deploy Azure Red Hat OpenShift using ARM templates - -_coming soon_ diff --git a/workloads/README.md b/workloads/README.md index 8dfb8e7811..ad17944587 100644 --- a/workloads/README.md +++ b/workloads/README.md @@ -1,24 +1,3 @@ # ARM templates and Bicep files for compliant workload deployments -At this point you have the necessary platform setup and landing zones (subscriptions) created and placed into their respective management groups, being secure, governed, monitored, and enabled for autonomy and are ready for your application teams to do workload deployments, migrations, and net-new development to their landing zones. - -The following workloads outlined here provides best-practices, and curated deployment experiences for your application teams to successfully deploy them into their landing zones (online, corp) - -This folder contains ARM templates and Bicep files that are developed and composed to ensure organizations can: - -- Accelerate adoption and Azure service enablement for their application teams and business units -- Deploy compliant Azure services aligned with the proactive and preventive policies provided by Enterprise-Scale landing zones, aligned with [Microsoft Cloud Security Benchmark](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/security-governance-and-compliance#azure-security-benchmark) - -## Who should use this library? - -Any organization that have deployed Enterprise-Scale reference implementations, or have followed the architecture and design methodology to enable landing zones in their Azure tenant, can start to use this library to deploy compliant workloads into their landing zones. - -We support the following scenarios: - -- Create TemplateSpecs of each artifact, that you can share with the application teams via RBAC in your tenant -- Deploy directly to a landing zone from this repository, using Azure PowerShell or Azure CLI -- Fork, extend, and internalize the repository for your own use - -See each artifact for further details regarding pre-requisites, such as dependencies on the Azure Platform (e.g., virtual networks with address space are created and provided into the landing zones, and policies are in place to ensure core security logs/metrics are stored centrally) - -Note: Regardless of how application teams decide to deploy their workloads, Azure Policy will ensure they conform to the guardrails in place, such as ensuring resources are enabled for security, monitoring, backup, and more. +Please head to [Deploy Azure landing zones in the Azure Archtiecture Center](https://aka.ms/alz/aac) for more information. diff --git a/workloads/data/README.md b/workloads/data/README.md deleted file mode 100644 index d753dec2f2..0000000000 --- a/workloads/data/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# Enterprise-Scale Analytics - -## Overview - -The [Enterprise-Scale Analytics](https://aka.ms/adopt/datamanagement) architecture provides a prescriptive data platform design coupled with Azure best practices and design principles. These principles serve as a compass for subsequent design decisions across critical technical domains. The architecture will continue to evolve alongside the Azure platform and is ultimately driven by the various design decisions that organizations must make to define their Azure data journey. - -The Enterprise-Scale Analytics architecture consists of two core building blocks: - -1. *Data Management Zone* which provides all data management and data governance capabilities for the data platform of an organization. -1. *Data Landing Zone* which is a logical construct and a unit of scale in the Enterprise-Scale Analytics architecture that enables data retention and execution of data workloads for generating insights and value with data. - -The architecture is modular by design and allows organizations to start small with a single Data Management Zone and Data Landing Zone, but also allows to scale to a multi-subscription data platform environment by adding more Data Landing Zones to the architecture. Thereby, the reference design allows to implement different modern data platform patterns like data-mesh, data-fabric as well as traditional datalake architectures. Enterprise-Scale Analytics has been very well aligned with the data-mesh approach, and is ideally suited to help organizations build data products and share these across business units of an organization. If core recommendations are followed, the resulting target architecture will put the customer on a path to sustainable scale. - -![Enterprise-Scale Analytics](./docs/media/EnterpriseScaleAnalytics.gif) - ---- - -_The Enterprise-Scale Analytics architecture represents the strategic design path and target technical state for your Azure data platform._ - ---- - -## Deploy Enterprise-Scale Analytics - -The Enterprise-Scale Analytics architecture is modular by design and allows customers to start with a small footprint and grow over time. In order to not end up in a migration project, customers should decide upfront how they want to organize data domains across Data Landing Zones. All Enterprise-Scale Analytics architecture building blocks can be deployed through the Azure Portal as well as through GitHub Actions workflows and Azure DevOps Pipelines. The template repositories contain sample YAML pipelines to more quickly get started with the setup of the environments. For more details, please visit the respective repositories. - -| Reference implementation | Description | Deploy to Azure | Link | -|:---------------------------|:------------|:----------------|------| -| Enterprise-Scale Analytics | Deploys a Data Management Zone and one or multiple [Data Landing Zone](https://github.com/Azure/data-landing-zone) all at once. Provides less options than the the individual Data Management Zone and Data Landing Zone deployment options. Helps you to quickly get started and make yourself familiar with the reference design. For more advanced scenarios, please deploy the artifacts individually. |[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-management-zone%2Fmain%2Fdocs%2Freference%2FenterpriseScaleAnalytics.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-management-zone%2Fmain%2Fdocs%2Freference%2Fportal.enterpriseScaleAnalytics.json) | N/A (This deployment is just a wrapper of all the individual components listed below) | -| Data Management Zone | Deploys a single Data Management Zone to a subscription. |[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-management-zone%2Fmain%2Finfra%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-management-zone%2Fmain%2Fdocs%2Freference%2Fportal.dataManagementZone.json) | [Repository](https://github.com/Azure/data-management-zone) | -| Data Landing Zone | Deploys a single Data Landing Zone to a subscription. Please deploy a Data Management Zone first. |[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-landing-zone%2Fmain%2Finfra%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-landing-zone%2Fmain%2Fdocs%2Freference%2Fportal.dataLandingZone.json) | [Repository](https://github.com/Azure/data-landing-zone) | -| Data Product Batch | Deploys a Data Workload template for Data Batch Analysis to a resource group inside a [Data Landing Zone](https://github.com/Azure/data-landing-zone). Please deploy a Data Management Zone and [Data Landing Zone](https://github.com/Azure/data-landing-zone) first. |[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-product-batch%2Fmain%2Finfra%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-product-batch%2Fmain%2Fdocs%2Freference%2Fportal.dataProduct.json) | [Repository](https://github.com/Azure/data-product-batch) | -| Data Product Streaming | Deploys a Data Workload template for Data Streaming Analysis to a resource group inside a [Data Landing Zone](https://github.com/Azure/data-landing-zone). Please deploy a Data Management Zone and [Data Landing Zone](https://github.com/Azure/data-landing-zone) first. |[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-product-streaming%2Fmain%2Finfra%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-product-streaming%2Fmain%2Fdocs%2Freference%2Fportal.dataProduct.json) | [Repository](https://github.com/Azure/data-product-streaming) | -| Data Product Analytics | Deploys a Data Workload template for Data Analytics and Data Science to a resource group inside a [Data Landing Zone](https://github.com/Azure/data-landing-zone). Please deploy a Data Management Zone and [Data Landing Zone](https://github.com/Azure/data-landing-zone) first. |[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-product-analytics%2Fmain%2Finfra%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fdata-product-analytics%2Fmain%2Fdocs%2Freference%2Fportal.dataProduct.json) | [Repository](https://github.com/Azure/data-product-analytics) | diff --git a/workloads/data/docs/media/EnterpriseScaleAnalytics.gif b/workloads/data/docs/media/EnterpriseScaleAnalytics.gif deleted file mode 100644 index 6720d90112..0000000000 Binary files a/workloads/data/docs/media/EnterpriseScaleAnalytics.gif and /dev/null differ diff --git a/workloads/keyvault/README.md b/workloads/keyvault/README.md deleted file mode 100644 index b6941f2a53..0000000000 --- a/workloads/keyvault/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Azure Key Vault - -## Overview - -The ARM template and Bicep file for Azure Key Vault is developed for organizations to accelerate their deployment while ensuring the Azure Service is compliant and meets your organization's requirements for hardening PaaS services. - -## Compliant Azure Key Vault - -It is assumed that the deployment will go into a landing zone where the platform provides the guardrails (Azure Policy), such as: - -- Diagnostics and metrics are enabled to route security relevant information to a platform Log Analytics workspace (this does not prevent application teams to also use their app centric Log Analytics workspace, which also will have a diagnostic setting configured to send logs/metrics.) -- Usage of public endpoint is not allowed for PaaS services -- Private endpoints DNS records are automatically created in the privatelink.vaultcore.azure.net Azure Private DNS zone in the connectivity subscription -- Azure Defender (Azure Security Center) is enabled for Azure Key Vault in the landing zones -- Soft-delete is enabled by default -- Purge protection is enabled by default - -The following table shows the policies related to Key Vault to address the above - -|**ESLZ Policy**
(Azure portal) |
**Description**
| **Effect(s)** | **Assignment scope** | -|---|:---:|:---:|:---:| -| KeyVault SoftDelete should be enabled | Ensures that Key Vaults are created with soft-delete enabled | append | Intermediate Root Management Group -| Deploy Diagnostics settings for Key Vault to Log Analytics workspace | Deploys the diagnostics settings for Key Vaults, and connects to a Log Analytics workspace | deployIfNotExists, disabled | Intermediate root Management Group | -| Deploy DNS Zone Group for Key Vault Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Key Vault Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | Landing Zone Management Group | -| Deploy Azure Defender for AKV | Deploys and enable Azure Defender for Azure Key Vault on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | Intermediate root Management Group | -| Deny or Deploy and Append TLS requirements and SSL enforcement on resources without encryption in transit | Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed | append, audit, auditIfNotExists, deployIfNotExists, deny | Landing Zones management group | -Configure Azure Key Vaults with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | deployIfNotExists, disabled | Landing Zones management group | -Azure Key Vaults should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. | audit, deny, disabled | Landing Zones management group - -## How to deploy -The ARM template and bicep file can be deployed directly, or be staged as a templateSpec in your tenant, and shared with application teams via RBAC. - -You can consume the template and bicep file in the following ways: - -### Deploy using Azure PowerShell - -````powershell -New-AzResourceGroupDeployment -Name -ResourceGroupName -TemplateUri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/workloads/keyvault/azkeyvault.json" -```` - -### Deploy using Azure CLI - -````cli -az deployment group create --resource-group --name --template-uri "https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/workloads/keyvault/azkeyvault.json" -```` - -### Deploy as TemplateSpec using Azure PowerShell - -````powershell -New-AzTemplateSpec -Name AzKeyVault -Version 1.0.0 -ResourceGroupName -Location -TemplateFile .\azkeyvault.json -```` - -### Deploy as TemplateSpec using Azure CLI - -````cli -az ts create --name AzKeyVault --version 1.0.0 --resource-group --location --template-file ./azkeyvault.json -```` - -### Deploy as Bicep - ->Note: Currently, Azure CLI doesn't support deploying remote Bicep files. Use [Bicep CLI](https://learn.microsoft.com/azure/azure-resource-manager/bicep/install#development-environment) to compile the Bicep file to a JSON template, and then load the JSON file to the remote location \ No newline at end of file diff --git a/workloads/keyvault/azkeyvault.bicep b/workloads/keyvault/azkeyvault.bicep deleted file mode 100644 index e58b2587df..0000000000 --- a/workloads/keyvault/azkeyvault.bicep +++ /dev/null @@ -1,132 +0,0 @@ -@description('Specifies the name of the KeyVault, this value must be globally unique.') -param vaultName string = 'keyvault-${uniqueString(resourceGroup().id)}' - -@description('Specifies the Azure location where the key vault should be created.') -param location string = resourceGroup().location - -@description('Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.') -param enabledForDeployment bool = false - -@description('Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.') -param enabledForDiskEncryption bool = false - -@description('Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = false - -@description('Property specifying whether protection against purge is enabled for this vault. This property does not accept false but enabled here to allow for this to be optional, if false, the property will not be set.') -param enablePurgeProtection bool = true - -@description('Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored.') -param enableRbacAuthorization bool = false - -@description('Property to specify whether the \'soft delete\' functionality is enabled for this key vault. If it\'s not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.') -param enableSoftDelete bool = true - -@minValue(7) -@maxValue(90) -@description('softDelete data retention days, only used if enableSoftDelete is true. It accepts >=7 and <=90.') -param softDeleteRetentionInDays int = 7 - -@description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.') -param tenantId string = subscription().tenantId - -@allowed([ - 'None' - 'AzureServices' -]) -@description('Tells what traffic can bypass network rules. This can be \'AzureServices\' or \'None\'. If not specified the default is \'AzureServices\'.') -param networkRuleBypassOptions string = 'AzureServices' - -@allowed([ - 'Allow' - 'Deny' -]) -@description('The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.') -param NetworkRuleAction string = 'Allow' - -@description('An array of IPv4 addresses or rangea in CIDR notation, e.g. \'124.56.78.91\' (simple IP address) or \'124.56.78.0/24\' (all addresses that start with 124.56.78).') -param ipRules array = [] - -@description('An complex object array that contains the complete definition of the access policy.') -param accessPolicies array = [] - -@description('An array for resourceIds for the virtualNetworks allowed to access the vault.') -param virtualNetworkRules array = [] - -@allowed([ - 'Standard' - 'Premium' -]) -@description('Specifies whether the key vault is a standard vault or a premium vault.') -param skuName string = 'Standard' - -@description('Provide the resourceId for the application centric Log Analytics workspace if you want to enable diagnostics for the KeyVault. If no resourceId is provided, the resource will be ignored.') -param logAnalyticsResourceId string = '' - -@description('Tags to be assigned to the KeyVault.') -param tags object = {} - -resource vaultName_resource 'Microsoft.KeyVault/vaults@2019-09-01' = { - name: vaultName - location: location - tags: tags - properties: { - tenantId: tenantId - sku: { - family: 'A' - name: skuName - } - accessPolicies: [for item in accessPolicies: { - tenantId: item.tenantId - objectId: item.objectId - permissions: item.permissions - }] - enabledForDeployment: enabledForDeployment - enabledForDiskEncryption: enabledForDiskEncryption - enabledForTemplateDeployment: enabledForTemplateDeployment - enableSoftDelete: enableSoftDelete - softDeleteRetentionInDays: (enableSoftDelete ? softDeleteRetentionInDays : json('null')) - enableRbacAuthorization: enableRbacAuthorization - enablePurgeProtection: (enablePurgeProtection ? enablePurgeProtection : json('null')) - networkAcls: { - bypass: networkRuleBypassOptions - defaultAction: NetworkRuleAction - ipRules: [for item in ipRules: { - value: item - }] - virtualNetworkRules: [for item in virtualNetworkRules: { - id: item - }] - } - } -} - -resource vaultName_Microsoft_Insights_diagSetting 'Microsoft.KeyVault/vaults/providers/diagnosticSettings@2017-05-01-preview' = if (!empty(logAnalyticsResourceId)) { - name: '${vaultName}/Microsoft.Insights/diagSetting' - location: location - properties: { - workspaceId: logAnalyticsResourceId - metrics: [ - { - category: 'AllMetrics' - enabled: true - retentionPolicy: { - days: 0 - enabled: false - } - timeGrain: null - } - ] - logs: [ - { - category: 'AuditEvent' - enabled: true - } - ] - } - dependsOn: [] -} - -output vaultName string = vaultName -output vaultResourceGroup string = resourceGroup().name -output location string = location diff --git a/workloads/keyvault/azkeyvault.json b/workloads/keyvault/azkeyvault.json deleted file mode 100644 index c31dbebda0..0000000000 --- a/workloads/keyvault/azkeyvault.json +++ /dev/null @@ -1,243 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "vaultName": { - "type": "string", - "defaultValue": "[concat('keyvault-', uniqueString(resourceGroup().id))]", - "metadata": { - "description": "Specifies the name of the KeyVault, this value must be globally unique." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Specifies the Azure location where the key vault should be created." - } - }, - "enabledForDeployment": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." - } - }, - "enabledForDiskEncryption": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." - } - }, - "enabledForTemplateDeployment": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault." - } - }, - "enablePurgeProtection": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Property specifying whether protection against purge is enabled for this vault. This property does not accept false but enabled here to allow for this to be optional, if false, the property will not be set." - } - }, - "enableRbacAuthorization": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored." - } - }, - "enableSoftDelete": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false." - } - }, - "softDeleteRetentionInDays": { - "type": "int", - "defaultValue": 7, - "minValue": 7, - "maxValue": 90, - "metadata": { - "description": "softDelete data retention days, only used if enableSoftDelete is true. It accepts >=7 and <=90." - } - }, - "tenantId": { - "type": "string", - "defaultValue": "[subscription().tenantId]", - "metadata": { - "description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet." - } - }, - "networkRuleBypassOptions": { - "type": "string", - "defaultValue": "AzureServices", - "allowedValues": [ - "None", - "AzureServices" - ], - "metadata": { - "description": "Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'." - } - }, - "NetworkRuleAction": { - "type": "string", - "defaultValue": "Allow", - "allowedValues": [ - "Allow", - "Deny" - ], - "metadata": { - "description": "The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated." - } - }, - "ipRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An array of IPv4 addresses or rangea in CIDR notation, e.g. '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78)." - } - }, - "accessPolicies": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An complex object array that contains the complete definition of the access policy." - } - }, - "virtualNetworkRules": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "An array for resourceIds for the virtualNetworks allowed to access the vault." - } - }, - "skuName": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "Premium" - ], - "metadata": { - "description": "Specifies whether the key vault is a standard vault or a premium vault." - } - }, - "logAnalyticsResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Provide the resourceId for the application centric Log Analytics workspace if you want to enable diagnostics for the KeyVault. If no resourceId is provided, the resource will be ignored." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Tags to be assigned to the KeyVault." - } - } - }, - "variables": {}, - "resources": [ - { - "name": "[parameters('vaultName')]", - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2019-09-01", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "tenantId": "[parameters('tenantId')]", - "sku": { - "family": "A", - "name": "[parameters('skuName')]" - }, - "copy": [ - { - "name": "accessPolicies", - "count": "[length(parameters('accessPolicies'))]", - "input": { - "tenantId": "[parameters('accessPolicies')[copyIndex('accessPolicies')].tenantId]", - "objectId": "[parameters('accessPolicies')[copyIndex('accessPolicies')].objectId]", - "permissions": "[parameters('accessPolicies')[copyIndex('accessPolicies')].permissions]" - } - } - ], - "enabledForDeployment": "[parameters('enabledForDeployment')]", - "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]", - "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]", - "enableSoftDelete": "[parameters('enableSoftDelete')]", - "softDeleteRetentionInDays": "[if(parameters('enableSoftDelete'), parameters('softDeleteRetentionInDays'), json('null'))]", - "enableRbacAuthorization": "[parameters('enableRbacAuthorization')]", - "enablePurgeProtection": "[if(parameters('enablePurgeProtection'), parameters('enablePurgeProtection'), json('null'))]", - "networkAcls": { - "bypass": "[parameters('networkRuleBypassOptions')]", - "defaultAction": "[parameters('networkRuleAction')]", - "copy": [ - { - "name": "ipRules", - "count": "[length(parameters('ipRules'))]", - "input": { - "value": "[parameters('ipRules')[copyIndex('ipRules')]]" - } - }, - { - "name": "virtualNetworkRules", - "count": "[length(parameters('virtualNetworkRules'))]", - "input": { - "id": "[parameters('virtualNetworkRules')[copyIndex('virtualNetworkRules')]]" - } - } - ] - } - } - }, - { - "condition": "[not(empty(parameters('logAnalyticsResourceId')))]", - "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', 'diagSetting')]", - "location": "[parameters('location')]", - "dependsOn": [], - "properties": { - "workspaceId": "[parameters('logAnalyticsResourceId')]", - "metrics": [ - { - "category": "AllMetrics", - "enabled": true, - "retentionPolicy": { - "days": 0, - "enabled": false - }, - "timeGrain": null - } - ], - "logs": [ - { - "category": "AuditEvent", - "enabled": true - } - ] - } - } - ], - "outputs": { - "vaultName": { - "type": "string", - "value": "[parameters('vaultName')]" - }, - "vaultResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "value": "[parameters('location')]" - } - } -} \ No newline at end of file