From 4b9d81d5498b0ac77cb0f75f75c0d3e843faf50d Mon Sep 17 00:00:00 2001 From: github-actions Date: Fri, 21 Feb 2025 08:01:40 +0000 Subject: [PATCH] Update Library Templates (automated) --- ...type_definition_es_landing_zones.tmpl.json | 2 +- .../archetype_definition_es_root.tmpl.json | 4 + ...cy_assignment_es_audit_appgw_waf.tmpl.json | 3 +- ...ment_es_audit_resourcerglocation.tmpl.json | 3 +- ...ssignment_es_audit_trustedlaunch.tmpl.json | 2 +- ...signment_es_audit_zoneresiliency.tmpl.json | 3 +- ...gnment_es_deny_classic_resources.tmpl.json | 3 +- ...ignment_es_deny_hybridnetworking.tmpl.json | 3 +- ...assignment_es_deny_ip_forwarding.tmpl.json | 3 +- ..._assignment_es_deny_priv_esc_aks.tmpl.json | 3 +- ...ssignment_es_deny_privileged_aks.tmpl.json | 3 +- ...icy_assignment_es_deny_public_ip.tmpl.json | 3 +- ...ignment_es_deny_public_ip_on_nic.tmpl.json | 3 +- ..._assignment_es_deny_storage_http.tmpl.json | 3 +- ...assignment_es_deny_unmanageddisk.tmpl.json | 3 +- ...ignment_es_deploy_asc_monitoring.tmpl.json | 3 +- ...ignment_es_deploy_azactivity_log.tmpl.json | 3 +- ...nment_es_deploy_azsqldb_auditing.tmpl.json | 3 +- ...ssignment_es_deploy_diag_logscat.tmpl.json | 3 +- ...assignment_es_deploy_mdendpoints.tmpl.json | 3 +- ...ignment_es_deploy_mdendpointsama.tmpl.json | 3 +- ...gnment_es_deploy_mdfc_defsql_ama.tmpl.json | 3 +- ..._assignment_es_deploy_mdfc_ossdb.tmpl.json | 3 +- ...assignment_es_deploy_mdfc_sqlatp.tmpl.json | 3 +- ...icy_assignment_es_deploy_sql_tde.tmpl.json | 3 +- ..._assignment_es_deploy_sql_threat.tmpl.json | 3 +- ...y_assignment_es_deploy_vm_backup.tmpl.json | 3 +- ...ignment_es_deploy_vm_changetrack.tmpl.json | 3 +- ...signment_es_deploy_vm_monitoring.tmpl.json | 3 +- ...ment_es_deploy_vmarc_changetrack.tmpl.json | 3 +- ...ment_es_deploy_vmhybr_monitoring.tmpl.json | 3 +- ...nment_es_deploy_vmss_changetrack.tmpl.json | 3 +- ...gnment_es_deploy_vmss_monitoring.tmpl.json | 3 +- ...y_assignment_es_enable_ddos_vnet.tmpl.json | 3 +- ..._assignment_es_enforce_aks_https.tmpl.json | 3 +- ...gnment_es_enforce_subnet_private.tmpl.json | 3 +- ...signment_es_enforce_tls_ssl_q225.tmpl.json | 24 + ...cy_definition_es_audit_tags_mandatory.json | 66 ++ ...definition_es_audit_tags_mandatory_rg.json | 91 ++ ...s_deploy_sql_vulnerabilityassessments.json | 3 +- ...sql_vulnerabilityassessments_20230706.json | 3 +- ...efinition_es_audit_trustedlaunch.tmpl.json | 8 +- ..._unusedresourcescostoptimization.tmpl.json | 14 +- ...tion_es_deny_publicpaasendpoints.tmpl.json | 137 ++- ...n_es_denyaction_deleteprotection.tmpl.json | 8 +- ...ition_es_deploy_aum_checkupdates.tmpl.json | 14 +- ..._deploy_diagnostics_loganalytics.tmpl.json | 210 ++-- ...definition_es_deploy_mdfc_config.tmpl.json | 57 +- ...n_es_deploy_mdfc_config_20240319.tmpl.json | 71 +- ...n_es_deploy_mdfc_defendersql_ama.tmpl.json | 21 +- ...tion_es_deploy_private_dns_zones.tmpl.json | 179 ++-- ...efinition_es_deploy_sql_security.tmpl.json | 12 +- ..._es_deploy_sql_security_20240529.tmpl.json | 14 +- ...y_set_definition_es_enforce_acsb.tmpl.json | 17 +- ...definition_es_enforce_alz_decomm.tmpl.json | 8 +- ...efinition_es_enforce_alz_sandbox.tmpl.json | 8 +- ...set_definition_es_enforce_backup.tmpl.json | 20 +- ...nition_es_enforce_encryption_cmk.tmpl.json | 98 +- ..._enforce_encryption_cmk_20250218.tmpl.json | 680 +++++++++++++ ...nition_es_enforce_encrypttransit.tmpl.json | 66 +- ..._enforce_encrypttransit_20240509.tmpl.json | 129 ++- ..._enforce_encrypttransit_20241211.tmpl.json | 956 ++++++++++++++++++ ...ition_es_enforce_guardrails_apim.tmpl.json | 35 +- ...s_enforce_guardrails_appservices.tmpl.json | 59 +- ...es_enforce_guardrails_automation.tmpl.json | 20 +- ...es_enforce_guardrails_botservice.tmpl.json | 14 +- ...rce_guardrails_cognitiveservices.tmpl.json | 29 +- ...on_es_enforce_guardrails_compute.tmpl.json | 8 +- ...enforce_guardrails_containerapps.tmpl.json | 8 +- ...rce_guardrails_containerinstance.tmpl.json | 5 +- ...rce_guardrails_containerregistry.tmpl.json | 38 +- ...n_es_enforce_guardrails_cosmosdb.tmpl.json | 20 +- ..._enforce_guardrails_dataexplorer.tmpl.json | 14 +- ...s_enforce_guardrails_datafactory.tmpl.json | 17 +- ..._es_enforce_guardrails_eventgrid.tmpl.json | 26 +- ...n_es_enforce_guardrails_eventhub.tmpl.json | 14 +- ...n_es_enforce_guardrails_keyvault.tmpl.json | 105 +- ..._enforce_guardrails_keyvault_sup.tmpl.json | 8 +- ...es_enforce_guardrails_kubernetes.tmpl.json | 50 +- ...force_guardrails_machinelearning.tmpl.json | 44 +- ...tion_es_enforce_guardrails_mysql.tmpl.json | 8 +- ...on_es_enforce_guardrails_network.tmpl.json | 68 +- ...ion_es_enforce_guardrails_openai.tmpl.json | 35 +- ...es_enforce_guardrails_postgresql.tmpl.json | 5 +- ...es_enforce_guardrails_servicebus.tmpl.json | 14 +- ...nition_es_enforce_guardrails_sql.tmpl.json | 17 +- ...on_es_enforce_guardrails_storage.tmpl.json | 68 +- ...on_es_enforce_guardrails_synapse.tmpl.json | 29 +- ...nforce_guardrails_virtualdesktop.tmpl.json | 8 +- 89 files changed, 3119 insertions(+), 668 deletions(-) create mode 100644 modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json create mode 100644 modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json create mode 100644 modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json create mode 100644 modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk_20250218.tmpl.json create mode 100644 modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json index b6261825c..c166d6993 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json @@ -25,7 +25,7 @@ "Enforce-ASR", "Enforce-GR-KeyVault", "Enforce-Subnet-Private", - "Enforce-TLS-SSL-H224" + "Enforce-TLS-SSL-Q225" ], "policy_definitions": [], "policy_set_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index e676b1a2c..625d6fed5 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -29,6 +29,8 @@ "Audit-PrivateLinkDnsZones", "Audit-PublicIpAddresses-UnusedResourcesCostOptimization", "Audit-ServerFarms-UnusedResourcesCostOptimization", + "Audit-Tags-Mandatory-Rg", + "Audit-Tags-Mandatory", "Deny-AA-child-resources", "Deny-APIM-TLS", "Deny-AppGw-Without-Tls", @@ -194,8 +196,10 @@ "Enforce-ALZ-Decomm", "Enforce-ALZ-Sandbox", "Enforce-Backup", + "Enforce-Encryption-CMK_20250218", "Enforce-Encryption-CMK", "Enforce-EncryptTransit_20240509", + "Enforce-EncryptTransit_20241211", "Enforce-EncryptTransit", "Enforce-Guardrails-APIM", "Enforce-Guardrails-AppServices", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json index c5b0e5347..9f5ae35c1 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Audit-AppGW-WAF", "dependsOn": [], "properties": { "description": "Assign the WAF should be enabled for Application Gateway audit policy.", "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json index 2fde061f2..69f9d0151 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Audit-ResourceRGLocation", "dependsOn": [], "properties": { "description": "Resource Group and Resource locations should match.", "displayName": "Resource Group and Resource locations should match", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json index 0da4e80b1..75bf68c21 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json @@ -11,7 +11,7 @@ "enforcementMode": "Default", "nonComplianceMessages": [ { - "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security." + "message": "Trusted Launch {enforcementMode} be used on supported virtual machines for enhanced security." } ], "parameters": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json index 8178f23db..99db11394 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Audit-ZoneResiliency", "dependsOn": [], "properties": { "description": "Resources should be Zone Resilient.", "displayName": "Resources should be Zone Resilient", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json index 2513e766d..3020c6596 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Classic-Resources", "dependsOn": [], "properties": { "description": "Denies deployment of classic resource types under the assigned scope.", "displayName": "Deny the deployment of classic resources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json index 92c4b0f10..52e1e1e5d 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-HybridNetworking", "dependsOn": [], "properties": { "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.", "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json index d5628a3cb..857497d6a 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-IP-forwarding", "dependsOn": [], "properties": { @@ -13,6 +13,7 @@ } ], "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "definitionVersion": "1.*.*", "scope": "${current_scope_resource_id}", "notScopes": [], "parameters": {} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json index 7d9158f5a..ded7647e1 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Priv-Esc-AKS", "dependsOn": [], "properties": { "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes clusters should not allow container privilege escalation", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "definitionVersion": "7.*.*", "enforcementMode": "Default", "parameters": { "effect": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json index dd9ee2240..89523602c 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Privileged-AKS", "dependsOn": [], "properties": { "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes cluster should not allow privileged containers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "definitionVersion": "9.*.*", "enforcementMode": "Default", "parameters": { "effect": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json index 4bcb133b4..3476a65a2 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Public-IP", "dependsOn": [], "properties": { "description": "This policy denies creation of Public IPs under the assigned scope.", "displayName": "Deny the creation of public IP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json index 589b39e58..b9381231d 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Public-IP-On-NIC", "dependsOn": [], "properties": { "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", "displayName": "Deny network interfaces having a public IP associated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json index ceefeee79..d43311526 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Storage-http", "dependsOn": [], "properties": { "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "displayName": "Secure transfer to storage accounts should be enabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json index e5f6a8841..944f97715 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-UnmanagedDisk", "dependsOn": [], "properties": { "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json index 421d8bd6e..804be3d43 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-ASC-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Microsoft Cloud Security Benchmark policy initiative.", "displayName": "Microsoft Cloud Security Benchmark", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "definitionVersion": "57.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json index 433cb60e9..d8e48f9f0 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-AzActivity-Log", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json index e2c05a33b..8d032a706 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-AzSqlDb-Auditing", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.", "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json index b09d4d3fc..e715bde62 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-Diag-LogsCat", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", "displayName": "Enable category group resource logging for supported resources to Log Analytics", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json index 42d59c9a4..473ad2a7e 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDEndpoints", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json index ee9a51225..91d6308ae 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDEndpointsAMA", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.", "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json index f09719dd9..6cb7ea090 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDFC-DefSQL-AMA", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).", "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json index e8adaa240..b622740fc 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDFC-OssDb", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json index ebcb44213..03e777cb8 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDFC-SqlAtp", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "definitionVersion": "3.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json index 07d0f465b..030eeec89 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-SQL-TDE", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", "displayName": "Deploy TDE on SQL servers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json index 331007f4e..b3f122074 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-SQL-Threat", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", "displayName": "Deploy Threat Detection on SQL servers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json index 3b44c1867..e9fc9a477 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VM-Backup", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "definitionVersion": "9.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json index 0833b7cba..63441b59e 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VM-ChangeTrack", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", "displayName": "Enable ChangeTracking and Inventory for virtual machines", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json index e96534245..762e5a44c 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VM-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", "displayName": "Enable Azure Monitor for VMs", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json index 3a710dcf6..678da60f0 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-vmArc-ChangeTrack", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.", "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json index da73e9e78..fa31fedb7 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-vmHybr-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).", "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json index 868d85566..8ced7adde 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VMSS-ChangeTrack", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json index 4fd83c85e..9e67296d7 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VMSS-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json index fc1034c4e..d3b48b0b5 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Enable-DDoS-VNET", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs.", "displayName": "Virtual networks should be protected by Azure DDoS Network Protection", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "parameters": { "ddosPlan": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json index f6d6403a8..3c18bc04a 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Enforce-AKS-HTTPS", "dependsOn": [], "properties": { "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc", "displayName": "Kubernetes clusters should be accessible only over HTTPS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", "enforcementMode": "Default", "parameters": { "effect": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json index f2a0da607..07db9bd28 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Enforce-Subnet-Private", "dependsOn": [], "properties": { "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", "displayName": "Subnets should be private", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json new file mode 100644 index 000000000..04234d2f9 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json @@ -0,0 +1,24 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enforce-TLS-SSL-Q225", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "TLS and SSL {enforcementMode} be enabled for on resources without encryption in transit." + } + ], + "parameters": {}, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json new file mode 100644 index 000000000..dd83bce93 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json @@ -0,0 +1,66 @@ +{ + "name": "Audit-Tags-Mandatory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Audit for mandatory tags on resources", + "description": "Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups.", + "metadata": { + "version": "1.0.0", + "category": "Tags", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "mandatoryTags": { + "type": "Array", + "metadata": { + "displayName": "Array of mandatory tags", + "description": "Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names." + }, + "defaultValue": [ + "owner", + "costcenter" + ] + } + }, + "policyRule": { + "if": { + "not": { + "count": { + "value": "[parameters('mandatoryTags')]", + "name": "tagcount", + "where": { + "field": "tags", + "containsKey": "[current('tagcount')]" + } + }, + "equals": "[length(parameters('mandatoryTags'))]" + } + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json new file mode 100644 index 000000000..d1d2818f6 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json @@ -0,0 +1,91 @@ +{ + "name": "Audit-Tags-Mandatory-Rg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Audit for mandatory tags on resource groups", + "description": "Audits resource groups to ensure they have required tags based on tag array.", + "metadata": { + "version": "1.0.0", + "category": "Tags", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "mandatoryTags": { + "type": "Array", + "metadata": { + "displayName": "Array of mandatory tags", + "description": "Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names." + }, + "defaultValue": [ + "owner", + "costcenter" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + { + "anyOf": [ + { + "not": { + "count": { + "value": "[parameters('mandatoryTags')]", + "name": "tagcount", + "where": { + "field": "tags", + "containsKey": "[current('tagcount')]" + } + }, + "equals": "[length(parameters('mandatoryTags'))]" + } + }, + { + "not": { + "count": { + "value": "[parameters('mandatoryTags')]", + "name": "tagnullcount", + "where": { + "value": "[resourceGroup().tags[current('tagnullcount')]]", + "notMatch": "" + } + }, + "equals": "[length(parameters('mandatoryTags'))]" + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json index c7ecc25f4..dc6d59aba 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json @@ -32,7 +32,8 @@ "type": "String", "metadata": { "description": "The storage account ID to store assessments", - "displayName": "The storage account ID to store assessments" + "displayName": "The storage account ID to store assessments", + "assignPermissions": true } }, "effect": { diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json index 08cb17fbb..2ae4d4207 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json @@ -31,7 +31,8 @@ "type": "String", "metadata": { "description": "The storage account ID to store assessments", - "displayName": "The storage account ID to store assessments" + "displayName": "The storage account ID to store assessments", + "assignPermissions": true } }, "effect": { diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json index feb83fa83..902faf85a 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Audit virtual machines for Trusted Launch support", "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Trusted Launch", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -40,7 +40,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AuditTrustedLaunchEnabled", @@ -50,7 +51,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json index 19bf84ea0..b2eed8a9d 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Unused resources driving cost should be avoided", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -64,7 +64,8 @@ "value": "[parameters('effectDisks')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization", @@ -74,7 +75,8 @@ "value": "[parameters('effectPublicIpAddresses')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization", @@ -84,7 +86,8 @@ "value": "[parameters('effectServerFarms')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AuditAzureHybridBenefitUnusedResourcesCostOptimization", @@ -94,7 +97,8 @@ "value": "Audit" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json index 9587da77c..57e460c8b 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -525,7 +525,8 @@ "value": "[parameters('CosmosPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", @@ -535,7 +536,8 @@ "value": "[parameters('KeyVaultPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", @@ -545,7 +547,8 @@ "value": "[parameters('SqlServerPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", @@ -555,7 +558,8 @@ "value": "[parameters('StoragePublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", @@ -565,7 +569,8 @@ "value": "[parameters('AKSPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", @@ -575,7 +580,8 @@ "value": "[parameters('ACRPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", @@ -585,7 +591,8 @@ "value": "[parameters('AFSPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", @@ -595,7 +602,8 @@ "value": "[parameters('PostgreSQLFlexPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", @@ -605,7 +613,8 @@ "value": "[parameters('postgreSqlPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", @@ -615,7 +624,8 @@ "value": "[parameters('MySQLFlexPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "BatchDenyPublicIP", @@ -625,7 +635,8 @@ "value": "[parameters('BatchPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "MariaDbDenyPublicIP", @@ -635,7 +646,8 @@ "value": "[parameters('MariaDbPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "MlDenyPublicIP", @@ -645,7 +657,8 @@ "value": "[parameters('MlPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", @@ -655,7 +668,8 @@ "value": "[parameters('RedisCachePublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "BotServiceDenyPublicIP", @@ -665,7 +679,8 @@ "value": "[parameters('BotServicePublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AutomationDenyPublicIP", @@ -675,7 +690,8 @@ "value": "[parameters('AutomationPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AppConfigDenyPublicIP", @@ -685,7 +701,8 @@ "value": "[parameters('AppConfigPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "FunctionDenyPublicIP", @@ -695,7 +712,8 @@ "value": "[parameters('FunctionPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", @@ -705,7 +723,8 @@ "value": "[parameters('FunctionAppSlotPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AseDenyPublicIP", @@ -715,7 +734,8 @@ "value": "[parameters('AsePublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "AsDenyPublicIP", @@ -725,7 +745,8 @@ "value": "[parameters('AsPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "ApiManDenyPublicIP", @@ -735,7 +756,8 @@ "value": "[parameters('ApiManPublicIpDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", @@ -745,7 +767,8 @@ "value": "[parameters('ContainerAppsEnvironmentDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", @@ -755,7 +778,8 @@ "value": "[parameters('containerAppsPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", @@ -765,7 +789,8 @@ "value": "[parameters('AsrVaultDenyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", @@ -775,7 +800,8 @@ "value": "[parameters('logicAppPublicNetworkAccessEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppSlots-Public", @@ -785,7 +811,8 @@ "value": "[parameters('appSlotsPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", @@ -795,7 +822,8 @@ "value": "[parameters('cognitiveSearchPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", @@ -805,7 +833,8 @@ "value": "[parameters('managedDiskPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", @@ -815,7 +844,8 @@ "value": "[parameters('adxPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", @@ -825,7 +855,8 @@ "value": "[parameters('adfPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", @@ -835,7 +866,8 @@ "value": "[parameters('eventGridPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", @@ -845,7 +877,8 @@ "value": "[parameters('eventGridTopicPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", @@ -855,7 +888,8 @@ "value": "[parameters('eventHubNamespacesPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", @@ -865,7 +899,8 @@ "value": "[parameters('keyVaultManagedHsmDisablePublicNetwork')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", @@ -875,7 +910,8 @@ "value": "[parameters('mySqlPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", @@ -885,7 +921,8 @@ "value": "[parameters('cognitiveServicesPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", @@ -895,7 +932,8 @@ "value": "[parameters('cognitiveServicesNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", @@ -905,7 +943,8 @@ "value": "[parameters('serviceBusDisablePublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", @@ -915,7 +954,8 @@ "value": "[parameters('sqlManagedPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Public-Access", @@ -925,7 +965,8 @@ "value": "[parameters('storageAccountsPublicAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", @@ -935,7 +976,8 @@ "value": "[parameters('synapsePublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", @@ -945,7 +987,8 @@ "value": "[parameters('avdWorkspacePublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", @@ -955,7 +998,8 @@ "value": "[parameters('avdHostPoolPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Grafana-PublicNetworkAccess", @@ -965,7 +1009,8 @@ "value": "[parameters('grafanaPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json index 256a13358..e05f59aff 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json @@ -8,7 +8,7 @@ "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -23,13 +23,15 @@ "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json index 09c36e540..9faebbd35 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -79,7 +79,8 @@ "value": "[parameters('tagOperator')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateLinux", @@ -101,7 +102,8 @@ "value": "[parameters('tagOperator')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateWindows", @@ -123,7 +125,8 @@ "value": "[parameters('tagOperator')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateLinux", @@ -145,7 +148,8 @@ "value": "[parameters('tagOperator')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json index cdc67e166..d9b803c22 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_diagnostics_loganalytics.tmpl.json @@ -853,7 +853,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics", @@ -869,7 +870,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics", @@ -885,7 +887,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics", @@ -901,7 +904,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics", @@ -917,7 +921,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", @@ -933,7 +938,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", @@ -949,7 +955,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", @@ -965,7 +972,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", @@ -981,7 +989,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", @@ -997,7 +1006,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", @@ -1013,7 +1023,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics", @@ -1029,7 +1040,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", @@ -1045,7 +1057,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", @@ -1061,7 +1074,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", @@ -1080,7 +1094,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", @@ -1096,7 +1111,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", @@ -1112,7 +1128,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", @@ -1128,7 +1145,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", @@ -1144,7 +1162,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", @@ -1160,7 +1179,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", @@ -1176,7 +1196,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", @@ -1192,7 +1213,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", @@ -1208,7 +1230,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", @@ -1224,7 +1247,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", @@ -1240,7 +1264,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics", @@ -1256,7 +1281,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", @@ -1272,7 +1298,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", @@ -1288,7 +1315,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", @@ -1304,7 +1332,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics", @@ -1320,7 +1349,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", @@ -1336,7 +1366,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", @@ -1352,7 +1383,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", @@ -1371,7 +1403,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", @@ -1387,7 +1420,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", @@ -1403,7 +1437,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", @@ -1419,7 +1454,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", @@ -1435,7 +1471,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics", @@ -1451,7 +1488,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", @@ -1467,7 +1505,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "LogAnalyticsDeployDiagnosticLogDeployLogAnalytics", @@ -1483,7 +1522,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", @@ -1499,7 +1539,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics", @@ -1515,7 +1556,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", @@ -1531,7 +1573,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", @@ -1547,7 +1590,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", @@ -1563,7 +1607,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", @@ -1579,7 +1624,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", @@ -1595,7 +1641,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", @@ -1611,7 +1658,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", @@ -1627,7 +1675,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", @@ -1643,7 +1692,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics", @@ -1662,7 +1712,8 @@ "value": "True" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics", @@ -1675,7 +1726,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", @@ -1691,7 +1743,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", @@ -1707,7 +1760,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics", @@ -1723,7 +1777,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", @@ -1739,7 +1794,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", @@ -1755,7 +1811,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics", @@ -1771,7 +1828,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", @@ -1787,7 +1845,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", @@ -1803,7 +1862,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics", @@ -1819,7 +1879,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", @@ -1835,7 +1896,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", @@ -1851,7 +1913,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", @@ -1867,7 +1930,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", @@ -1883,7 +1947,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", @@ -1899,7 +1964,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", @@ -1915,7 +1981,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", @@ -1931,7 +1998,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", @@ -1947,7 +2015,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics", @@ -1963,7 +2032,8 @@ "value": "[parameters('profileName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json index 5290f7358..f81dc870a 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json @@ -250,7 +250,8 @@ "value": "[parameters('enableAscForOssDb')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForVM", @@ -260,7 +261,8 @@ "value": "[parameters('enableAscForServers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", @@ -273,7 +275,8 @@ "value": "[parameters('vulnerabilityAssessmentProvider')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", @@ -283,7 +286,8 @@ "value": "[parameters('enableAscForSqlOnVm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForAppServices", @@ -293,7 +297,8 @@ "value": "[parameters('enableAscForAppServices')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForStorageAccountsV2", @@ -303,7 +308,8 @@ "value": "[parameters('enableAscForStorage')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderforContainers", @@ -313,7 +319,8 @@ "value": "[parameters('enableAscForContainers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderforKubernetes", @@ -326,7 +333,8 @@ "value": "[parameters('logAnalytics')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "azurePolicyForKubernetes", @@ -336,7 +344,8 @@ "value": "[parameters('enableAscForContainers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForKeyVaults", @@ -346,7 +355,8 @@ "value": "[parameters('enableAscForKeyVault')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForDns", @@ -356,7 +366,8 @@ "value": "[parameters('enableAscForDns')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForArm", @@ -366,7 +377,8 @@ "value": "[parameters('enableAscForArm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlPaas", @@ -376,7 +388,8 @@ "value": "[parameters('enableAscForSql')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForCosmosDbs", @@ -386,7 +399,8 @@ "value": "[parameters('enableAscForCosmosDbs')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForApis", @@ -396,7 +410,8 @@ "value": "[parameters('enableAscForApis')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForCspm", @@ -406,7 +421,8 @@ "value": "[parameters('enableAscForCspm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "securityEmailContact", @@ -419,7 +435,8 @@ "value": "[parameters('minimalSeverity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ascExport", @@ -435,13 +452,15 @@ "value": "[parameters('logAnalytics')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "migrateToMdeTvm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json index 78698ddef..969b8e34b 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -226,6 +226,18 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableTvmCheck": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } } }, "policyDefinitions": [ @@ -237,7 +249,8 @@ "value": "[parameters('enableAscForOssDb')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForVM", @@ -247,7 +260,8 @@ "value": "[parameters('enableAscForServers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", @@ -260,7 +274,8 @@ "value": "[parameters('vulnerabilityAssessmentProvider')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", @@ -270,7 +285,8 @@ "value": "[parameters('enableAscForSqlOnVm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForAppServices", @@ -280,7 +296,8 @@ "value": "[parameters('enableAscForAppServices')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForStorageAccountsV2", @@ -290,7 +307,8 @@ "value": "[parameters('enableAscForStorage')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderforContainers", @@ -300,7 +318,8 @@ "value": "[parameters('enableAscForContainers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderforKubernetes", @@ -313,7 +332,8 @@ "value": "[parameters('logAnalytics')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "azurePolicyForKubernetes", @@ -323,7 +343,8 @@ "value": "[parameters('enableAscForContainers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "defenderForKeyVaults", @@ -333,7 +354,8 @@ "value": "[parameters('enableAscForKeyVault')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForArm", @@ -343,7 +365,8 @@ "value": "[parameters('enableAscForArm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForSqlPaas", @@ -353,7 +376,8 @@ "value": "[parameters('enableAscForSql')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForCosmosDbs", @@ -363,7 +387,8 @@ "value": "[parameters('enableAscForCosmosDbs')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "defenderForCspm", @@ -373,7 +398,8 @@ "value": "[parameters('enableAscForCspm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "securityEmailContact", @@ -386,7 +412,8 @@ "value": "[parameters('minimalSeverity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "ascExport", @@ -405,13 +432,19 @@ "value": "[parameters('logAnalytics')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "migrateToMdeTvm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", - "parameters": {}, - "groupNames": [] + "parameters": { + "effect": { + "value": "[parameters('enableTvmCheck')]" + } + }, + "groupNames": [], + "definitionVersion": "" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json index d1037e4ce..02b708209 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_defendersql_ama.tmpl.json @@ -105,7 +105,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlArcMdsql", @@ -115,7 +116,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlArcMdsqlDcr", @@ -143,7 +145,8 @@ "value": "[parameters('dcrId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlArcDcrAssociation", @@ -165,7 +168,8 @@ "value": "[parameters('dcrId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlAma", @@ -181,7 +185,8 @@ "value": "[parameters('userAssignedIdentityName')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlMdsql", @@ -203,7 +208,8 @@ "value": "[parameters('dcrId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "defenderForSqlMdsqlDcr", @@ -231,7 +237,8 @@ "value": "[parameters('dcrId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json index f016bc3f5..b4ecee615 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.3.0", + "version": "2.4.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -834,7 +834,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-Webhook", @@ -850,7 +851,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-DSCHybrid", @@ -866,7 +868,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-SQL", @@ -882,7 +885,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-MongoDB", @@ -898,7 +902,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Cassandra", @@ -914,7 +919,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Gremlin", @@ -930,7 +936,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Table", @@ -946,7 +953,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory", @@ -964,7 +972,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory-Portal", @@ -982,7 +991,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-UI-Api", @@ -998,7 +1008,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-Browser-AuthN", @@ -1014,7 +1025,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", @@ -1030,7 +1042,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Migrate", @@ -1043,7 +1056,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob", @@ -1056,7 +1070,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob-Sec", @@ -1069,7 +1084,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue", @@ -1082,7 +1098,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue-Sec", @@ -1095,7 +1112,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-File", @@ -1108,7 +1126,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb", @@ -1121,7 +1140,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec", @@ -1134,7 +1154,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS", @@ -1147,7 +1168,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS-Sec", @@ -1160,7 +1182,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL", @@ -1176,7 +1199,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand", @@ -1192,7 +1216,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-Dev", @@ -1208,7 +1233,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Key", @@ -1224,7 +1250,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Live", @@ -1240,7 +1267,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Stream", @@ -1256,7 +1284,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Monitor", @@ -1281,7 +1310,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", @@ -1294,7 +1324,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", @@ -1307,7 +1338,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", @@ -1320,7 +1352,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", @@ -1333,7 +1366,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", @@ -1346,7 +1380,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", @@ -1359,7 +1394,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", @@ -1372,7 +1408,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", @@ -1385,7 +1422,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", @@ -1398,7 +1436,8 @@ "value": "[parameters('effect1')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", @@ -1411,7 +1450,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", @@ -1424,7 +1464,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", @@ -1437,7 +1478,8 @@ "value": "[parameters('effect1')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", @@ -1450,7 +1492,8 @@ "value": "[parameters('effect1')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", @@ -1463,7 +1506,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", @@ -1476,7 +1520,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", @@ -1489,7 +1534,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", @@ -1505,7 +1551,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", @@ -1518,7 +1565,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", @@ -1531,7 +1579,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-BotService", @@ -1544,7 +1593,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace", @@ -1557,7 +1607,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", @@ -1573,7 +1624,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", @@ -1589,7 +1641,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", @@ -1602,7 +1655,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", @@ -1621,7 +1675,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTCentral", @@ -1634,7 +1689,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", @@ -1647,7 +1703,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", @@ -1660,7 +1717,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", @@ -1679,7 +1737,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json index 91b1d42b9..92d32ec27 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security.tmpl.json @@ -92,7 +92,8 @@ "value": "[parameters('SqlDbTdeDeploySqlSecurityEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", @@ -102,7 +103,8 @@ "value": "[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", @@ -112,7 +114,8 @@ "value": "[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", @@ -128,7 +131,8 @@ "value": "[parameters('vulnerabilityAssessmentsStorageID')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json index 632d3fbc6..f87eb0282 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deploy SQL Database built-in SQL security configuration", "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-Sql-Security", @@ -91,7 +91,8 @@ "value": "[parameters('SqlDbTdeDeploySqlSecurityEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", @@ -101,7 +102,8 @@ "value": "[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", @@ -111,7 +113,8 @@ "value": "[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", @@ -127,7 +130,8 @@ "value": "[parameters('vulnerabilityAssessmentsStorageID')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json index e1e633bdf..35692bed0 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Guest Configuration", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -46,19 +46,22 @@ "policyDefinitionReferenceId": "GcIdentity", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "GcLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "GcWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "WinAcsb", @@ -71,7 +74,8 @@ "value": "[parameters('includeArcMachines')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "LinAcsb", @@ -84,7 +88,8 @@ "value": "[parameters('includeArcMachines')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json index 5b94975bb..841045322 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Decommissioned Landing Zone", "description": "Enforce policies in the Decommissioned Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Decommissioned", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -37,13 +37,15 @@ "value": "[parameters('listOfResourceTypesAllowed')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DecomShutdownMachines", "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json index 636e835d4..0fb004b3f 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Sandbox Landing Zone", "description": "Enforce policies in the Sandbox Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Sandbox", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -66,7 +66,8 @@ "value": "[parameters('listOfResourceTypesNotAllowed')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "SandboxDenyVnetPeering", @@ -76,7 +77,8 @@ "value": "[parameters('effectDenyVnetPeering')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json index 9c1c69e4c..12812d970 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce enhanced recovery and backup policies", "description": "Enforce enhanced recovery and backup policies on assigned scopes.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Backup", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -67,7 +67,8 @@ "value": "[parameters('checkLockedImmutabilityOnly')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "BackupRVault-Immutability", @@ -80,7 +81,8 @@ "value": "[parameters('checkLockedImmutabilityOnly')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "BackupBVault-SoftDelete", @@ -93,7 +95,8 @@ "value": "[parameters('checkAlwaysOnSoftDeleteOnly')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "BackupRVault-SoftDelete", @@ -106,7 +109,8 @@ "value": "[parameters('checkAlwaysOnSoftDeleteOnly')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "BackupBVault-MUA", @@ -116,7 +120,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "BackupRVault-MUA", @@ -126,7 +131,8 @@ "value": "[parameters('effect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json index 7b07b46bd..d104d6ca8 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json @@ -5,10 +5,12 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", - "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "displayName": "[Deprecated]: Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK). Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK_20250218.html", "metadata": { - "version": "3.1.0", + "version": "3.2.0-deprecated", + "deprecated": true, + "supersededBy": "Enforce-Encryption-CMK_20250218", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -352,7 +354,8 @@ "value": "[parameters('ACRCmkEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AksCmkDeny", @@ -362,7 +365,8 @@ "value": "[parameters('AksCmkEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "WorkspaceCMK", @@ -372,7 +376,8 @@ "value": "[parameters('WorkspaceCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "CognitiveServicesCMK", @@ -382,7 +387,8 @@ "value": "[parameters('CognitiveServicesCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "CosmosCMKEffect", @@ -392,7 +398,8 @@ "value": "[parameters('CosmosCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DataBoxCMKEffect", @@ -402,7 +409,8 @@ "value": "[parameters('DataBoxCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", @@ -412,7 +420,8 @@ "value": "[parameters('StreamAnalyticsCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", @@ -422,7 +431,8 @@ "value": "[parameters('SynapseWorkspaceCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "StorageCMKEffect", @@ -432,7 +442,8 @@ "value": "[parameters('StorageCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "MySQLCMKEffect", @@ -442,7 +453,8 @@ "value": "[parameters('MySQLCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "PostgreSQLCMKEffect", @@ -452,7 +464,8 @@ "value": "[parameters('PostgreSQLCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SqlServerTDECMKEffect", @@ -462,7 +475,8 @@ "value": "[parameters('SqlServerTDECMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", @@ -472,7 +486,8 @@ "value": "[parameters('HealthcareAPIsCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AzureBatchCMKEffect", @@ -482,7 +497,8 @@ "value": "[parameters('AzureBatchCMKEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "EncryptedVMDisksEffect", @@ -492,7 +508,8 @@ "value": "[parameters('EncryptedVMDisksEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Aa-Cmk", @@ -502,7 +519,8 @@ "value": "[parameters('AutomationAccountCmkEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Backup-Cmk", @@ -512,7 +530,8 @@ "value": "[parameters('BackupCmkEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", @@ -522,7 +541,8 @@ "value": "[parameters('cognitiveSearchCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", @@ -532,7 +552,8 @@ "value": "[parameters('osAndDataDiskCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", @@ -542,7 +563,8 @@ "value": "[parameters('containerInstanceCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ADX-Cmk", @@ -552,7 +574,8 @@ "value": "[parameters('adxCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Adf-Cmk", @@ -562,7 +585,8 @@ "value": "[parameters('adfCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EH-Cmk", @@ -572,7 +596,8 @@ "value": "[parameters('eventHubNamespacesCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", @@ -582,7 +607,8 @@ "value": "[parameters('eventHubPremiumCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sb-Cmk", @@ -592,7 +618,8 @@ "value": "[parameters('serviceBusDenyCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", @@ -602,7 +629,8 @@ "value": "[parameters('sqlManagedCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", @@ -612,7 +640,8 @@ "value": "[parameters('storageTableCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", @@ -622,7 +651,8 @@ "value": "[parameters('storageAccountsEncryptionCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", @@ -632,7 +662,8 @@ "value": "[parameters('storageQueueCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-BotService-Cmk", @@ -642,7 +673,8 @@ "value": "[parameters('botServiceCmk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk_20250218.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk_20250218.tmpl.json new file mode 100644 index 000000000..c29b9ef4b --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk_20250218.tmpl.json @@ -0,0 +1,680 @@ +{ + "name": "Enforce-Encryption-CMK_20250218", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-Encryption-CMK", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + }, + "AutomationAccountCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "BackupCmkEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveSearchCmk": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "osAndDataDiskCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "containerInstanceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adxCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "adfCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubNamespacesCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "eventHubPremiumCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "serviceBusDenyCmk": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlManagedCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageTableCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsEncryptionCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageQueueCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "botServiceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[parameters('AksCmkEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": { + "effect": { + "value": "[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", + "parameters": { + "effect": { + "value": "[parameters('AutomationAccountCmkEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "parameters": { + "effect": { + "value": "[parameters('BackupCmkEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*-preview" + }, + { + "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", + "parameters": { + "effect": { + "value": "[parameters('cognitiveSearchCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", + "parameters": { + "effect": { + "value": "[parameters('osAndDataDiskCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "3.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", + "parameters": { + "effect": { + "value": "[parameters('containerInstanceCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", + "parameters": { + "effect": { + "value": "[parameters('adxCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", + "parameters": { + "effect": { + "value": "[parameters('adfCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-EH-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", + "parameters": { + "effect": { + "value": "[parameters('eventHubNamespacesCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", + "parameters": { + "effect": { + "value": "[parameters('eventHubPremiumCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", + "parameters": { + "effect": { + "value": "[parameters('serviceBusDenyCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "parameters": { + "effect": { + "value": "[parameters('storageTableCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsEncryptionCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "parameters": { + "effect": { + "value": "[parameters('storageQueueCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", + "parameters": { + "effect": { + "value": "[parameters('botServiceCmk')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json index 8b7c33bc6..fc8a860f7 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit.tmpl.json @@ -386,7 +386,8 @@ "value": "[parameters('AppServiceHttpEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AppServiceminTlsVersion", @@ -399,7 +400,8 @@ "value": "[parameters('AppServiceminTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "FunctionLatestTlsEffect", @@ -409,7 +411,8 @@ "value": "[parameters('FunctionLatestTlsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", @@ -419,7 +422,8 @@ "value": "[parameters('WebAppServiceLatestTlsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", @@ -429,7 +433,8 @@ "value": "[parameters('APIAppServiceHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", @@ -439,7 +444,8 @@ "value": "[parameters('FunctionServiceHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", @@ -449,7 +455,8 @@ "value": "[parameters('WebAppServiceHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", @@ -459,7 +466,8 @@ "value": "[parameters('AKSIngressHttpsOnlyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", @@ -472,7 +480,8 @@ "value": "[parameters('MySQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "MySQLEnableSSLEffect", @@ -485,7 +494,8 @@ "value": "[parameters('MySQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", @@ -498,7 +508,8 @@ "value": "[parameters('PostgreSQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", @@ -511,7 +522,8 @@ "value": "[parameters('PostgreSQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "RedisTLSDeployEffect", @@ -524,7 +536,8 @@ "value": "[parameters('RedisMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "RedisdisableNonSslPort", @@ -534,7 +547,8 @@ "value": "[parameters('RedisTLSDeployEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "RedisDenyhttps", @@ -547,7 +561,8 @@ "value": "[parameters('RedisMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", @@ -560,7 +575,8 @@ "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", @@ -573,7 +589,8 @@ "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", @@ -586,7 +603,8 @@ "value": "[parameters('SQLServerminTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "SQLServerTLSEffect", @@ -599,7 +617,8 @@ "value": "[parameters('SQLServerminTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", @@ -612,7 +631,8 @@ "value": "[parameters('StorageMinimumTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", @@ -625,7 +645,8 @@ "value": "[parameters('StorageMinimumTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", @@ -635,7 +656,8 @@ "value": "[parameters('ContainerAppsHttpsOnlyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json index 1cafe91ff..6faa8e7f7 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json @@ -5,13 +5,15 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html ", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Enforce-EncryptTransit", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20241211", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", @@ -47,9 +49,10 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", - "1.0", - "1.1" + "1.1", + "1.0" ], "metadata": { "displayName": "App Service. Select version minimum TLS Web App config", @@ -356,7 +359,7 @@ "Disabled" ] }, - "StorageminimumTlsVersion": { + "StorageMinimumTlsVersion": { "type": "String", "defaultValue": "TLS1_2", "allowedValues": [ @@ -523,7 +526,8 @@ "value": "[parameters('AppServiceHttpEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AppServiceminTlsVersion", @@ -536,7 +540,8 @@ "value": "[parameters('AppServiceminTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "FunctionLatestTlsEffect", @@ -546,7 +551,8 @@ "value": "[parameters('FunctionLatestTlsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", @@ -556,7 +562,8 @@ "value": "[parameters('WebAppServiceLatestTlsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", @@ -566,7 +573,8 @@ "value": "[parameters('APIAppServiceHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", @@ -576,7 +584,8 @@ "value": "[parameters('FunctionServiceHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", @@ -586,7 +595,8 @@ "value": "[parameters('WebAppServiceHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", @@ -596,7 +606,8 @@ "value": "[parameters('AKSIngressHttpsOnlyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "8.*.*" }, { "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", @@ -609,7 +620,8 @@ "value": "[parameters('MySQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "MySQLEnableSSLEffect", @@ -622,7 +634,8 @@ "value": "[parameters('MySQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", @@ -635,7 +648,8 @@ "value": "[parameters('PostgreSQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", @@ -648,7 +662,8 @@ "value": "[parameters('PostgreSQLminimalTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "RedisTLSDeployEffect", @@ -661,7 +676,8 @@ "value": "[parameters('RedisMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "RedisdisableNonSslPort", @@ -671,7 +687,8 @@ "value": "[parameters('RedisTLSDeployEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "RedisDenyhttps", @@ -684,7 +701,8 @@ "value": "[parameters('RedisMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", @@ -697,7 +715,8 @@ "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", @@ -710,7 +729,8 @@ "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", @@ -723,7 +743,8 @@ "value": "[parameters('SQLServerminTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "SQLServerTLSEffect", @@ -736,7 +757,8 @@ "value": "[parameters('SQLServerminTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", @@ -749,7 +771,8 @@ "value": "[parameters('StorageMinimumTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", @@ -759,7 +782,8 @@ "value": "[parameters('ContainerAppsHttpsOnlyEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", @@ -769,7 +793,8 @@ "value": "[parameters('FunctionAppTlsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", @@ -779,7 +804,8 @@ "value": "[parameters('LogicAppTlsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", @@ -789,7 +815,8 @@ "value": "[parameters('logicAppHttpsEffect')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", @@ -799,7 +826,8 @@ "value": "[parameters('functionAppSlotsTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", @@ -809,7 +837,8 @@ "value": "[parameters('appServiceAppsTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", @@ -819,7 +848,8 @@ "value": "[parameters('appServiceAppsHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Tls", @@ -829,7 +859,8 @@ "value": "[parameters('appServiceTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", @@ -839,7 +870,8 @@ "value": "[parameters('appServiceAppSlotTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", @@ -849,7 +881,8 @@ "value": "[parameters('functionAppSlotsHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-FunctionApp-Https", @@ -859,7 +892,8 @@ "value": "[parameters('functionAppHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "5.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", @@ -869,7 +903,8 @@ "value": "[parameters('appServiceAppSlotsHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerApps-Https", @@ -879,7 +914,8 @@ "value": "[parameters('containerAppsHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EH-minTLS", @@ -889,7 +925,8 @@ "value": "[parameters('eventHubMinTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", @@ -899,7 +936,8 @@ "value": "[parameters('sqlManagedTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", @@ -909,7 +947,8 @@ "value": "[parameters('sqlDbTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Tls", @@ -919,7 +958,8 @@ "value": "[parameters('storageAccountsTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", @@ -929,7 +969,8 @@ "value": "[parameters('synapseTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json new file mode 100644 index 000000000..bf7f08bc5 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json @@ -0,0 +1,956 @@ +{ + "name": "Enforce-EncryptTransit_20241211", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "metadata": { + "version": "1.2.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit_20240509", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.3", + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageMinimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "8.*.*" + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "parameters": { + "effect": { + "value": "[parameters('FunctionAppTlsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "parameters": { + "effect": { + "value": "[parameters('LogicAppTlsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "parameters": { + "effect": { + "value": "[parameters('logicAppHttpsEffect')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsTls')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsTls')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsHttps')]" + } + }, + "groupNames": [], + "definitionVersion": "4.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "parameters": { + "effect": { + "value": "[parameters('appServiceTls')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotTls')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsHttps')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "parameters": { + "effect": { + "value": "[parameters('functionAppHttps')]" + } + }, + "groupNames": [], + "definitionVersion": "5.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotsHttps')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-EH-minTLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", + "parameters": { + "effect": { + "value": "[parameters('eventHubMinTls')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "parameters": { + "effect": { + "value": "[parameters('sqlDbTls')]" + } + }, + "groupNames": [], + "definitionVersion": "2.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsTls')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "parameters": { + "effect": { + "value": "[parameters('synapseTlsVersion')]" + } + }, + "groupNames": [], + "definitionVersion": "1.*.*" + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json index 395df58bb..15a115d12 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for API Management", "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "API Management", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -126,7 +126,8 @@ "value": "[parameters('apimSecrets')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", @@ -136,7 +137,8 @@ "value": "[parameters('apimVnetUsage')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-APIM-TLS", @@ -146,7 +148,8 @@ "value": "[parameters('apimTls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-Protocols", @@ -156,7 +159,8 @@ "value": "[parameters('apimEncryptedProtocols')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-Authn", @@ -166,7 +170,8 @@ "value": "[parameters('apimCallApiAuthn')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", @@ -176,7 +181,8 @@ "value": "[parameters('apimDirectApiEndpoint')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", @@ -186,7 +192,8 @@ "value": "[parameters('apimApiBackendCertValidation')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", @@ -196,7 +203,8 @@ "value": "[parameters('apimDisablePublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", @@ -206,7 +214,8 @@ "value": "[parameters('apimSkuVnet')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Apim-Version", @@ -216,7 +225,8 @@ "value": "[parameters('minimumApiVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Api-subscription-scope", @@ -226,7 +236,8 @@ "value": "[parameters('apiSubscriptionScope')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json index a571fb9c4..8d5fd39d2 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for App Service", "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -179,7 +179,8 @@ "value": "[parameters('appServiceByoc')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", @@ -189,7 +190,8 @@ "value": "[parameters('appServiceAppsRemoteDebugging')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", @@ -199,7 +201,8 @@ "value": "[parameters('appServiceAppSlotsRemoteDebugging')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", @@ -209,7 +212,8 @@ "value": "[parameters('appServiceEnvLatestVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", @@ -219,7 +223,8 @@ "value": "[parameters('appServiceAppsVnetRouting')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppService-Rfc", @@ -229,7 +234,8 @@ "value": "[parameters('appServiceRfc')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", @@ -239,7 +245,8 @@ "value": "[parameters('appServiceAppsRfc')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", @@ -249,7 +256,8 @@ "value": "[parameters('functionAppDebugging')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", @@ -259,7 +267,8 @@ "value": "[parameters('appServiceScmAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppServ-Routing", @@ -269,7 +278,8 @@ "value": "[parameters('appServiceRouting')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", @@ -279,7 +289,8 @@ "value": "[parameters('appServiceDisableLocalAuthFtp')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", @@ -289,7 +300,8 @@ "value": "[parameters('appServiceSkuPl')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", @@ -299,7 +311,8 @@ "value": "[parameters('appServiceDisableLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "DINE-AppService-Debugging", @@ -309,7 +322,8 @@ "value": "[parameters('functionAppDebugging')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", @@ -319,7 +333,8 @@ "value": "[parameters('functionAppSlotsModifyHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-AppService-Https", @@ -329,7 +344,8 @@ "value": "[parameters('appServiceAppHttps')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", @@ -339,7 +355,8 @@ "value": "[parameters('functionAppSlotsModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", @@ -349,7 +366,8 @@ "value": "[parameters('appServiceAppsModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", @@ -359,7 +377,8 @@ "value": "[parameters('appServiceAppModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json index 27e5cb41c..d3df58376 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Automation Account", "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Automation", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -79,7 +79,8 @@ "value": "[parameters('autoHotPatch')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", @@ -89,7 +90,8 @@ "value": "[parameters('aaManagedIdentity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", @@ -99,7 +101,8 @@ "value": "[parameters('aaLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", @@ -109,7 +112,8 @@ "value": "[parameters('aaVariablesEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", @@ -119,7 +123,8 @@ "value": "[parameters('aaModifyLocalAUth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", @@ -129,7 +134,8 @@ "value": "[parameters('aaModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json index e27021b39..0daa2ffa0 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Bot Service", "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Bot Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -69,7 +69,8 @@ "value": "[parameters('botServiceValidUri')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", @@ -79,7 +80,8 @@ "value": "[parameters('botServiceIsolatedMode')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", @@ -89,7 +91,8 @@ "value": "[parameters('botServiceLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Audit-BotService-Private-Link", @@ -99,7 +102,8 @@ "value": "[parameters('botServicePrivateLink')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json index a846b06a0..4a2d501d4 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -104,7 +104,8 @@ "value": "[parameters('cognitiveSearchSku')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", @@ -114,7 +115,8 @@ "value": "[parameters('cognitiveSearchLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", @@ -124,7 +126,8 @@ "value": "[parameters('modifyCognitiveSearchLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", @@ -134,7 +137,8 @@ "value": "[parameters('modifyCognitiveSearchPublicEndpoint')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", @@ -144,7 +148,8 @@ "value": "[parameters('cognitiveServicesModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", @@ -154,7 +159,8 @@ "value": "[parameters('cognitiveServicesManagedIdentity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", @@ -164,7 +170,8 @@ "value": "[parameters('cognitiveServicesCustomerStorage')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", @@ -174,7 +181,8 @@ "value": "[parameters('cognitiveServicesLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", @@ -184,7 +192,8 @@ "value": "[parameters('cognitiveServicesResourceLogs')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "5.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json index 856e612df..04f7e64a2 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Compute", "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -46,7 +46,8 @@ "value": "[parameters('vmAndVmssEncryptionHost')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", @@ -56,7 +57,8 @@ "value": "[parameters('diskDoubleEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json index 5477729a9..b6b57ce62 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Apps", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Apps", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -46,7 +46,8 @@ "value": "[parameters('containerAppsVnetInjection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", @@ -56,7 +57,8 @@ "value": "[parameters('containerAppsManagedIdentity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json index 0b1598cc7..2de2c805d 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Instance", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Instances", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -37,7 +37,8 @@ "value": "[parameters('containerInstanceVnet')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json index edb893f56..72b8463a9 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Registry", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Registry", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -131,7 +131,8 @@ "value": "[parameters('containerRegistryModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", @@ -141,7 +142,8 @@ "value": "[parameters('containerRegistryModifyRepositoryToken')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", @@ -151,7 +153,8 @@ "value": "[parameters('containerRegistryArmAudience')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", @@ -161,7 +164,8 @@ "value": "[parameters('containerRegistryModifyArmAudience')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", @@ -171,7 +175,8 @@ "value": "[parameters('containerRegistrySkuPrivateLink')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", @@ -181,7 +186,8 @@ "value": "[parameters('containerRegistryModifyAnAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", @@ -191,7 +197,8 @@ "value": "[parameters('containerRegistryAnAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", @@ -201,7 +208,8 @@ "value": "[parameters('containerRegistryExports')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", @@ -211,7 +219,8 @@ "value": "[parameters('containerRegistryLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", @@ -221,7 +230,8 @@ "value": "[parameters('containerRegistryRepositoryToken')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", @@ -231,7 +241,8 @@ "value": "[parameters('containerRegistryUnrestrictedNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", @@ -241,7 +252,8 @@ "value": "[parameters('containerRegistryModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json index 8fd6bbca9..7332dae6b 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cosmos DB", "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cosmos DB", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -70,7 +70,8 @@ "value": "[parameters('cosmosDbModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", @@ -80,7 +81,8 @@ "value": "[parameters('cosmosDbAtp')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", @@ -90,7 +92,8 @@ "value": "[parameters('cosmosDbFwRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", @@ -100,13 +103,15 @@ "value": "[parameters('cosmosDbLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", @@ -116,7 +121,8 @@ "value": "[parameters('cosmosDbModifyPublicAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json index 5a53702d3..d1b2357b9 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Explorer", "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Azure Data Explorer", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -63,7 +63,8 @@ "value": "[parameters('adxSku')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", @@ -73,7 +74,8 @@ "value": "[parameters('adxDoubleEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-ADX-Encryption", @@ -83,7 +85,8 @@ "value": "[parameters('adxEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", @@ -93,7 +96,8 @@ "value": "[parameters('adxModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json index 0c87a56ff..e0f28e3b3 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Factory", "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Data Factory", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -72,7 +72,8 @@ "value": "[parameters('adfManagedIdentity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Adf-Git", @@ -82,7 +83,8 @@ "value": "[parameters('adfGit')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", @@ -92,7 +94,8 @@ "value": "[parameters('adfLinkedServiceKeyVault')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", @@ -102,7 +105,8 @@ "value": "[parameters('adfSqlIntegration')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", @@ -112,7 +116,8 @@ "value": "[parameters('adfModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json index 98870d1d7..9b9dd8c3d 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Grid", "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Grid", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -95,7 +95,8 @@ "value": "[parameters('eventGridPartnerNamespaceModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", @@ -105,7 +106,8 @@ "value": "[parameters('eventGridDomainModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", @@ -115,7 +117,8 @@ "value": "[parameters('eventGridTopicLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", @@ -125,7 +128,8 @@ "value": "[parameters('eventGridTopicModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", @@ -135,7 +139,8 @@ "value": "[parameters('eventGridPartnerNamespaceLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", @@ -145,7 +150,8 @@ "value": "[parameters('eventGridLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", @@ -155,7 +161,8 @@ "value": "[parameters('eventGridDomainModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", @@ -165,7 +172,8 @@ "value": "[parameters('eventGridTopicModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json index 7b1a8fda5..4eb259475 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Hub", "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -63,7 +63,8 @@ "value": "[parameters('eventHubNamespacesDoubleEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-EH-Local-Auth", @@ -73,7 +74,8 @@ "value": "[parameters('eventHubNamespacesModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EH-Local-Auth", @@ -83,7 +85,8 @@ "value": "[parameters('eventHubNamespacesLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", @@ -93,7 +96,8 @@ "value": "[parameters('eventHubAuthRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json index c46d2cc28..5af0e7906 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -21,7 +21,7 @@ "effectKvSoftDelete": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Soft Delete", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -34,7 +34,7 @@ "effectKvPurgeProtection": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Purge Protection", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -47,7 +47,7 @@ "effectKvSecretsExpire": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Secrets Expiry", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -60,7 +60,7 @@ "effectKvKeysExpire": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Keys Expiry", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -73,7 +73,7 @@ "effectKvFirewallEnabled": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Firewall Enabled", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -86,7 +86,7 @@ "effectKvCertLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Certificate Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -118,7 +118,7 @@ "effectKvKeysLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Keys Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -139,7 +139,7 @@ "effectKvSecretsLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Secrets Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -456,7 +456,8 @@ "value": "[parameters('effectKvSoftDelete')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "KvPurgeProtection", @@ -466,7 +467,8 @@ "value": "[parameters('effectKvPurgeProtection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "KvSecretsExpire", @@ -476,7 +478,8 @@ "value": "[parameters('effectKvSecretsExpire')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "KvKeysExpire", @@ -486,7 +489,8 @@ "value": "[parameters('effectKvKeysExpire')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "KvFirewallEnabled", @@ -496,7 +500,8 @@ "value": "[parameters('effectKvFirewallEnabled')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "KvCertLifetime", @@ -512,7 +517,8 @@ "value": "[parameters('minimumCertLifeDaysBeforeExpiry')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "KvKeysLifetime", @@ -525,7 +531,8 @@ "value": "[parameters('minimumKeysLifeDaysBeforeExpiry')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "KvSecretsLifetime", @@ -538,7 +545,8 @@ "value": "[parameters('minimumSecretsLifeDaysBeforeExpiry')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", @@ -551,7 +559,8 @@ "value": "[parameters('keyVaultMinimumRSACertificateSizeValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize", @@ -564,7 +573,8 @@ "value": "[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", @@ -577,7 +587,8 @@ "value": "[parameters('keyVaultMinimumRSAKeySizeValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", @@ -587,7 +598,8 @@ "value": "[parameters('keyVaultArmRbac')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", @@ -597,7 +609,8 @@ "value": "[parameters('keyVaultHmsPurgeProtection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Cert-Period", @@ -610,7 +623,8 @@ "value": "[parameters('keyVaultCertValidPeriod')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", @@ -620,7 +634,8 @@ "value": "[parameters('keyVaultHmsKeysExpiration')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", @@ -633,7 +648,8 @@ "value": "[parameters('keysValidityInDays')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", @@ -646,7 +662,8 @@ "value": "[parameters('secretsValidityInDays')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Key-Types", @@ -656,7 +673,8 @@ "value": "[parameters('keyVaultCertKeyTypes')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", @@ -666,7 +684,8 @@ "value": "[parameters('keyVaultEllipticCurve')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", @@ -676,7 +695,8 @@ "value": "[parameters('keyVaultCryptographicType')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Key-Active", @@ -689,7 +709,8 @@ "value": "[parameters('keysActiveInDays')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Curve-Names", @@ -699,7 +720,8 @@ "value": "[parameters('keysCurveNames')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", @@ -712,7 +734,8 @@ "value": "[parameters('secretsActiveInDays')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", @@ -722,7 +745,8 @@ "value": "[parameters('keyVaultSecretContentType')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", @@ -735,7 +759,8 @@ "value": "[parameters('keyVaultNonIntegratedCaValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", @@ -748,7 +773,8 @@ "value": "[parameters('keyVaultIntegratedCaValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", @@ -761,7 +787,8 @@ "value": "[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", @@ -774,7 +801,8 @@ "value": "[parameters('keyVaultHmsCurveNamesValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", @@ -787,7 +815,8 @@ "value": "[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json index 8b4b199fe..3287e3628 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce additional recommended guardrails for Key Vault", "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -44,7 +44,8 @@ "value": "[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*-preview" }, { "policyDefinitionReferenceId": "Modify-KV-Fw", @@ -54,7 +55,8 @@ "value": "[parameters('keyVaultModifyFw')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json index 85c57faf1..4c86ef6bf 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Kubernetes", "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Kubernetes", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -186,7 +186,8 @@ "value": "[parameters('aksWindowsContainerAdministrator')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", @@ -196,7 +197,8 @@ "value": "[parameters('aksShareHostProcessAndNamespace')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "5.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", @@ -206,7 +208,8 @@ "value": "[parameters('aksNakedPods')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", @@ -216,7 +219,8 @@ "value": "[parameters('aksDefaultNamespace')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", @@ -226,7 +230,8 @@ "value": "[parameters('aksInternalLb')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "8.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", @@ -236,7 +241,8 @@ "value": "[parameters('aksTempDisk')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", @@ -246,7 +252,8 @@ "value": "[parameters('aksAllowedCapabilities')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "6.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", @@ -256,7 +263,8 @@ "value": "[parameters('aksPrivEscalation')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "7.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", @@ -266,7 +274,8 @@ "value": "[parameters('aksPrivContainers')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "9.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", @@ -276,7 +285,8 @@ "value": "[parameters('aksReadinessOrLivenessProbes')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", @@ -286,7 +296,8 @@ "value": "[parameters('aksCommandInvoke')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-Aks-Policy", @@ -296,7 +307,8 @@ "value": "[parameters('aksPolicy')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "4.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", @@ -306,7 +318,8 @@ "value": "[parameters('aksPrivateCluster')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", @@ -316,7 +329,8 @@ "value": "[parameters('aksLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Kms", @@ -326,7 +340,8 @@ "value": "[parameters('aksKms')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Aks-Cni", @@ -336,7 +351,8 @@ "value": "[parameters('aksCni')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json index 1c683c4a2..3b04e8eed 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -144,7 +144,8 @@ "value": "[parameters('mlOutdatedOS')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ML-Local-Auth", @@ -154,7 +155,8 @@ "value": "[parameters('mlLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-ML-Local-Auth", @@ -164,7 +166,8 @@ "value": "[parameters('mlModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", @@ -174,7 +177,8 @@ "value": "[parameters('mlUserAssignedIdentity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", @@ -184,7 +188,8 @@ "value": "[parameters('mlModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", @@ -194,7 +199,8 @@ "value": "[parameters('mlIdleShutdown')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", @@ -204,7 +210,8 @@ "value": "[parameters('mlVirtualNetwork')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", @@ -214,7 +221,8 @@ "value": "[parameters('mlLegacyMode')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Audit-ML-Private-Link", @@ -224,7 +232,8 @@ "value": "[parameters('mlPrivateLink')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", @@ -234,7 +243,8 @@ "value": "[parameters('mlResourceLogs')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", @@ -244,7 +254,8 @@ "value": "[parameters('mlAllowedRegistryDeploy')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", @@ -254,7 +265,8 @@ "value": "[parameters('mlAllowedModule')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "6.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", @@ -264,7 +276,8 @@ "value": "[parameters('mlAllowedPython')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "5.*.*-preview" }, { "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", @@ -274,7 +287,8 @@ "value": "[parameters('mlAllowedRegistries')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "6.*.*-preview" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json index 269fca49c..3ef614ad8 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for MySQL", "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "MySQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -45,7 +45,8 @@ "value": "[parameters('mySqlAdvThreatProtection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", @@ -55,7 +56,8 @@ "value": "[parameters('mySqlInfraEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json index 28a05525f..df43865e5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -268,7 +268,8 @@ "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-VPN-AzureAD", @@ -278,7 +279,8 @@ "value": "[parameters('vpnAzureAD')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", @@ -288,7 +290,8 @@ "value": "[parameters('wafAfdEnabled')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Waf-IDPS", @@ -298,7 +301,8 @@ "value": "[parameters('afwEnableIDPS')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", @@ -308,7 +312,8 @@ "value": "[parameters('afwEnableAllIDPSSignatureRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", @@ -318,7 +323,8 @@ "value": "[parameters('afwEmptyIDPSBypassList')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", @@ -328,7 +334,8 @@ "value": "[parameters('afwEnableTlsInspection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", @@ -338,7 +345,8 @@ "value": "[parameters('afwEnbaleTlsForAllAppRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", @@ -351,7 +359,8 @@ "value": "[parameters('wafModeAppGwRequirement')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", @@ -361,7 +370,8 @@ "value": "[parameters('wafFwRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Waf-mode", @@ -374,7 +384,8 @@ "value": "[parameters('wafModeRequirement')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-vNet-DDoS", @@ -387,19 +398,22 @@ "value": "[parameters('ddosPlanResourceId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Ip-Forwarding", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-vNic-Pip", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", @@ -409,7 +423,8 @@ "value": "[parameters('appGwWaf')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr", @@ -419,7 +434,8 @@ "value": "[parameters('subnetUdr')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", @@ -429,7 +445,8 @@ "value": "[parameters('subnetNsg')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", @@ -439,7 +456,8 @@ "value": "[parameters('subnetServiceEndpoint')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", @@ -452,7 +470,8 @@ "value": "[parameters('denyMgmtFromInternetPorts')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", @@ -462,7 +481,8 @@ "value": "[parameters('appGwTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Udr", @@ -481,7 +501,8 @@ "value": "[parameters('modifyUdrAddressPrefix')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Nsg", @@ -521,7 +542,8 @@ "value": "[parameters('modifyNsgRuleDescription')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json index 2b6dbbbc5..28c7ade9f 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -122,7 +122,8 @@ "value": "[parameters('cognitiveServicesOutboundNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", @@ -132,7 +133,8 @@ "value": "[parameters('cognitiveServicesNetworkAcls')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", @@ -142,7 +144,8 @@ "value": "[parameters('cognitiveServicesManagedIdentity')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", @@ -152,7 +155,8 @@ "value": "[parameters('cognitiveServicesDisableLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", @@ -162,7 +166,8 @@ "value": "[parameters('cognitiveServicesCustomerStorage')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", @@ -172,7 +177,8 @@ "value": "[parameters('cognitiveServicesModifyDisableLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", @@ -182,7 +188,8 @@ "value": "[parameters('azureAiNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", @@ -192,7 +199,8 @@ "value": "[parameters('azureAiPrivateLink')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", @@ -202,7 +210,8 @@ "value": "[parameters('azureAiDisableLocalKey')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", @@ -212,7 +221,8 @@ "value": "[parameters('azureAiDisableLocalKey2')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", @@ -222,7 +232,8 @@ "value": "[parameters('azureAiDiagSettings')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json index 6a7345101..82c5c414c 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for PostgreSQL", "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "PostgreSQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -36,7 +36,8 @@ "value": "[parameters('postgreSqlAdvThreatProtection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json index 35e5d0060..a232731d1 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Service Bus", "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Service Bus", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -63,7 +63,8 @@ "value": "[parameters('serviceBusAuthzRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sb-Encryption", @@ -73,7 +74,8 @@ "value": "[parameters('serviceBusDoubleEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", @@ -83,7 +85,8 @@ "value": "[parameters('serviceBusDenyDisabledLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", @@ -93,7 +96,8 @@ "value": "[parameters('serviceBusModifyDisableLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json index 26a05fd68..39f6b9b5a 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -62,7 +62,8 @@ "value": "[parameters('sqlManagedDefender')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", @@ -72,7 +73,8 @@ "value": "[parameters('sqlAadOnly')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", @@ -82,13 +84,15 @@ "value": "[parameters('sqlManagedAadOnly')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", "parameters": {}, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", @@ -98,7 +102,8 @@ "value": "[parameters('modifySqlPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json index f46109852..894ad827e 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Storage Account", "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -239,7 +239,8 @@ "value": "[parameters('storageAccountsAllowedCopyScope')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", @@ -249,7 +250,8 @@ "value": "[parameters('storageServicesEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-LocalUser", @@ -259,7 +261,8 @@ "value": "[parameters('storageLocalUser')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-SFTP", @@ -269,7 +272,8 @@ "value": "[parameters('storageSftp')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "" }, { "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", @@ -282,7 +286,8 @@ "value": "[parameters('storageAllowedNetworkAclsBypass')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", @@ -292,7 +297,8 @@ "value": "[parameters('storageResourceAccessRulesTenantId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", @@ -302,7 +308,8 @@ "value": "[parameters('storageResourceAccessRulesResourceId')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", @@ -312,7 +319,8 @@ "value": "[parameters('storageNetworkAclsVirtualNetworkRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", @@ -325,7 +333,8 @@ "value": "[parameters('storageMinContainerDeleteRetentionInDays')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-CorsRules", @@ -335,7 +344,8 @@ "value": "[parameters('storageCorsRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", @@ -345,7 +355,8 @@ "value": "[parameters('storageAccountsDoubleEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", @@ -355,7 +366,8 @@ "value": "[parameters('storageAccountsCrossTenant')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", @@ -365,7 +377,8 @@ "value": "[parameters('storageAccountSharedKey')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "2.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", @@ -375,7 +388,8 @@ "value": "[parameters('storageAccountsInfraEncryption')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Classic", @@ -385,7 +399,8 @@ "value": "[parameters('storageClassicToArm')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", @@ -395,7 +410,8 @@ "value": "[parameters('storageThreatProtection')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", @@ -405,7 +421,8 @@ "value": "[parameters('storageAccountRestrictNetworkRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", @@ -415,7 +432,8 @@ "value": "[parameters('storageAccountNetworkRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", @@ -425,7 +443,8 @@ "value": "[parameters('storageKeysExpiration')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "3.*.*" }, { "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", @@ -435,7 +454,8 @@ "value": "[parameters('modifyStorageFileSyncPublicEndpoint')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", @@ -445,7 +465,8 @@ "value": "[parameters('modifyStorageAccountPublicEndpoint')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", @@ -455,7 +476,8 @@ "value": "[parameters('storageAccountsModifyDisablePublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json index 011c041ca..deb5b3e0a 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Synapse workspaces", "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Synapse", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -110,7 +110,8 @@ "value": "[parameters('synapseDefender')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", @@ -120,7 +121,8 @@ "value": "[parameters('synapseModifyLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", @@ -130,7 +132,8 @@ "value": "[parameters('synapseFwRules')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", @@ -143,7 +146,8 @@ "value": "[parameters('synapseAllowedTenantIds')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", @@ -153,7 +157,8 @@ "value": "[parameters('synapseDataTraffic')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", @@ -163,7 +168,8 @@ "value": "[parameters('synapseManagedVnet')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", @@ -173,7 +179,8 @@ "value": "[parameters('synapseLocalAuth')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", @@ -183,7 +190,8 @@ "value": "[parameters('synapseModifyTlsVersion')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", @@ -193,7 +201,8 @@ "value": "[parameters('synapseModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json index c65b0f739..93251ff2b 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Virtual Desktop", "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Desktop Virtualization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -44,7 +44,8 @@ "value": "[parameters('avdWorkspaceModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" }, { "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", @@ -54,7 +55,8 @@ "value": "[parameters('avdHostPoolModifyPublicNetworkAccess')]" } }, - "groupNames": [] + "groupNames": [], + "definitionVersion": "1.*.*" } ], "policyDefinitionGroups": null