diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json index b6261825c..c166d6993 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json @@ -25,7 +25,7 @@ "Enforce-ASR", "Enforce-GR-KeyVault", "Enforce-Subnet-Private", - "Enforce-TLS-SSL-H224" + "Enforce-TLS-SSL-Q225" ], "policy_definitions": [], "policy_set_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index e676b1a2c..9464ae84b 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -29,6 +29,8 @@ "Audit-PrivateLinkDnsZones", "Audit-PublicIpAddresses-UnusedResourcesCostOptimization", "Audit-ServerFarms-UnusedResourcesCostOptimization", + "Audit-Tags-Mandatory-Rg", + "Audit-Tags-Mandatory", "Deny-AA-child-resources", "Deny-APIM-TLS", "Deny-AppGw-Without-Tls", @@ -196,6 +198,7 @@ "Enforce-Backup", "Enforce-Encryption-CMK", "Enforce-EncryptTransit_20240509", + "Enforce-EncryptTransit_20241211", "Enforce-EncryptTransit", "Enforce-Guardrails-APIM", "Enforce-Guardrails-AppServices", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json index c5b0e5347..9f5ae35c1 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Audit-AppGW-WAF", "dependsOn": [], "properties": { "description": "Assign the WAF should be enabled for Application Gateway audit policy.", "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json index 2fde061f2..69f9d0151 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_resourcerglocation.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Audit-ResourceRGLocation", "dependsOn": [], "properties": { "description": "Resource Group and Resource locations should match.", "displayName": "Resource Group and Resource locations should match", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json index 0da4e80b1..75bf68c21 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_trustedlaunch.tmpl.json @@ -11,7 +11,7 @@ "enforcementMode": "Default", "nonComplianceMessages": [ { - "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security." + "message": "Trusted Launch {enforcementMode} be used on supported virtual machines for enhanced security." } ], "parameters": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json index 8178f23db..99db11394 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_audit_zoneresiliency.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Audit-ZoneResiliency", "dependsOn": [], "properties": { "description": "Resources should be Zone Resilient.", "displayName": "Resources should be Zone Resilient", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json index 2513e766d..3020c6596 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_classic_resources.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Classic-Resources", "dependsOn": [], "properties": { "description": "Denies deployment of classic resource types under the assigned scope.", "displayName": "Deny the deployment of classic resources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json index 92c4b0f10..52e1e1e5d 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-HybridNetworking", "dependsOn": [], "properties": { "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.", "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json index d5628a3cb..857497d6a 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-IP-forwarding", "dependsOn": [], "properties": { @@ -13,6 +13,7 @@ } ], "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "definitionVersion": "1.*.*", "scope": "${current_scope_resource_id}", "notScopes": [], "parameters": {} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json index 7d9158f5a..ded7647e1 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_priv_esc_aks.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Priv-Esc-AKS", "dependsOn": [], "properties": { "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes clusters should not allow container privilege escalation", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "definitionVersion": "7.*.*", "enforcementMode": "Default", "parameters": { "effect": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json index dd9ee2240..89523602c 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_privileged_aks.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Privileged-AKS", "dependsOn": [], "properties": { "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes cluster should not allow privileged containers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "definitionVersion": "9.*.*", "enforcementMode": "Default", "parameters": { "effect": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json index 4bcb133b4..3476a65a2 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Public-IP", "dependsOn": [], "properties": { "description": "This policy denies creation of Public IPs under the assigned scope.", "displayName": "Deny the creation of public IP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json index 589b39e58..b9381231d 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Public-IP-On-NIC", "dependsOn": [], "properties": { "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", "displayName": "Deny network interfaces having a public IP associated", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json index ceefeee79..d43311526 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-Storage-http", "dependsOn": [], "properties": { "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "displayName": "Secure transfer to storage accounts should be enabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json index e5f6a8841..944f97715 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deny-UnmanagedDisk", "dependsOn": [], "properties": { "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json index 421d8bd6e..804be3d43 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-ASC-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Microsoft Cloud Security Benchmark policy initiative.", "displayName": "Microsoft Cloud Security Benchmark", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "definitionVersion": "57.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json index 433cb60e9..d8e48f9f0 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-AzActivity-Log", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json index e2c05a33b..8d032a706 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_azsqldb_auditing.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-AzSqlDb-Auditing", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.", "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json index b09d4d3fc..e715bde62 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-Diag-LogsCat", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", "displayName": "Enable category group resource logging for supported resources to Log Analytics", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json index 19b583af0..726259779 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-Log-Analytics", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.", "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "definitionVersion": "2.*.*", "enforcementMode": "DoNotEnforce", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json index 42d59c9a4..473ad2a7e 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpoints.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDEndpoints", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json index ee9a51225..91d6308ae 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdendpointsama.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDEndpointsAMA", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.", "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json index f09719dd9..6cb7ea090 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_defsql_ama.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDFC-DefSQL-AMA", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations).", "displayName": "Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json index e8adaa240..b622740fc 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDFC-OssDb", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json index ebcb44213..03e777cb8 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-MDFC-SqlAtp", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "definitionVersion": "3.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json index 07d0f465b..030eeec89 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-SQL-TDE", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", "displayName": "Deploy TDE on SQL servers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json index 331007f4e..b3f122074 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-SQL-Threat", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", "displayName": "Deploy Threat Detection on SQL servers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "definitionVersion": "2.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json index 3b44c1867..e9fc9a477 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VM-Backup", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "definitionVersion": "9.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json index 0833b7cba..63441b59e 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_changetrack.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VM-ChangeTrack", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", "displayName": "Enable ChangeTracking and Inventory for virtual machines", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json index e96534245..762e5a44c 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VM-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", "displayName": "Enable Azure Monitor for VMs", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json index 3a710dcf6..678da60f0 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmarc_changetrack.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-vmArc-ChangeTrack", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.", "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json index da73e9e78..fa31fedb7 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmhybr_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-vmHybr-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).", "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json index 868d85566..8ced7adde 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_changetrack.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VMSS-ChangeTrack", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.", "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "definitionVersion": "1.*.*-preview", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json index 4fd83c85e..9e67296d7 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Deploy-VMSS-Monitoring", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json index fc1034c4e..d3b48b0b5 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -1,6 +1,6 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Enable-DDoS-VNET", "location": "${default_location}", "dependsOn": [], @@ -11,6 +11,7 @@ "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs.", "displayName": "Virtual networks should be protected by Azure DDoS Network Protection", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "parameters": { "ddosPlan": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json index f6d6403a8..3c18bc04a 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_aks_https.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Enforce-AKS-HTTPS", "dependsOn": [], "properties": { "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc", "displayName": "Kubernetes clusters should be accessible only over HTTPS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", "enforcementMode": "Default", "parameters": { "effect": { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json index f2a0da607..07db9bd28 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json @@ -1,12 +1,13 @@ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "Enforce-Subnet-Private", "dependsOn": [], "properties": { "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", "displayName": "Subnets should be private", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "definitionVersion": "1.*.*", "enforcementMode": "Default", "nonComplianceMessages": [ { diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json new file mode 100644 index 000000000..04234d2f9 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl_q225.tmpl.json @@ -0,0 +1,24 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enforce-TLS-SSL-Q225", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "TLS and SSL {enforcementMode} be enabled for on resources without encryption in transit." + } + ], + "parameters": {}, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json new file mode 100644 index 000000000..dd83bce93 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory.json @@ -0,0 +1,66 @@ +{ + "name": "Audit-Tags-Mandatory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Audit for mandatory tags on resources", + "description": "Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups.", + "metadata": { + "version": "1.0.0", + "category": "Tags", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "mandatoryTags": { + "type": "Array", + "metadata": { + "displayName": "Array of mandatory tags", + "description": "Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names." + }, + "defaultValue": [ + "owner", + "costcenter" + ] + } + }, + "policyRule": { + "if": { + "not": { + "count": { + "value": "[parameters('mandatoryTags')]", + "name": "tagcount", + "where": { + "field": "tags", + "containsKey": "[current('tagcount')]" + } + }, + "equals": "[length(parameters('mandatoryTags'))]" + } + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json new file mode 100644 index 000000000..d1d2818f6 --- /dev/null +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_audit_tags_mandatory_rg.json @@ -0,0 +1,91 @@ +{ + "name": "Audit-Tags-Mandatory-Rg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Audit for mandatory tags on resource groups", + "description": "Audits resource groups to ensure they have required tags based on tag array.", + "metadata": { + "version": "1.0.0", + "category": "Tags", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "mandatoryTags": { + "type": "Array", + "metadata": { + "displayName": "Array of mandatory tags", + "description": "Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names." + }, + "defaultValue": [ + "owner", + "costcenter" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + { + "anyOf": [ + { + "not": { + "count": { + "value": "[parameters('mandatoryTags')]", + "name": "tagcount", + "where": { + "field": "tags", + "containsKey": "[current('tagcount')]" + } + }, + "equals": "[length(parameters('mandatoryTags'))]" + } + }, + { + "not": { + "count": { + "value": "[parameters('mandatoryTags')]", + "name": "tagnullcount", + "where": { + "value": "[resourceGroup().tags[current('tagnullcount')]]", + "notMatch": "" + } + }, + "equals": "[length(parameters('mandatoryTags'))]" + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json index c7ecc25f4..dc6d59aba 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments.json @@ -32,7 +32,8 @@ "type": "String", "metadata": { "description": "The storage account ID to store assessments", - "displayName": "The storage account ID to store assessments" + "displayName": "The storage account ID to store assessments", + "assignPermissions": true } }, "effect": { diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json index 08cb17fbb..2ae4d4207 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_vulnerabilityassessments_20230706.json @@ -31,7 +31,8 @@ "type": "String", "metadata": { "description": "The storage account ID to store assessments", - "displayName": "The storage account ID to store assessments" + "displayName": "The storage account ID to store assessments", + "assignPermissions": true } }, "effect": { diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json index feb83fa83..8599319bd 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_trustedlaunch.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Audit virtual machines for Trusted Launch support", "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Trusted Launch", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json index 19bf84ea0..f389ea074 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_audit_unusedresourcescostoptimization.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Unused resources driving cost should be avoided", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json index 9587da77c..397074c56 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json index 256a13358..f402e5595 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json @@ -8,7 +8,7 @@ "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json index 09c36e540..ab9424637 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_aum_checkupdates.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json index 78698ddef..080cde369 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -226,6 +226,18 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableTvmCheck": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } } }, "policyDefinitions": [ @@ -410,7 +422,11 @@ { "policyDefinitionReferenceId": "migrateToMdeTvm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", - "parameters": {}, + "parameters": { + "effect": { + "value": "[parameters('enableTvmCheck')]" + } + }, "groupNames": [] } ], diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json index f016bc3f5..79e3b1ce6 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.3.0", + "version": "2.4.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json index 632d3fbc6..8637b0fa2 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_sql_security_20240529.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deploy SQL Database built-in SQL security configuration", "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-Sql-Security", diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json index e1e633bdf..b00da6904 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_acsb.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Guest Configuration", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json index 5b94975bb..1806a259b 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_decomm.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Decommissioned Landing Zone", "description": "Enforce policies in the Decommissioned Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Decommissioned", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json index 636e835d4..bb6dd2079 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_alz_sandbox.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Sandbox Landing Zone", "description": "Enforce policies in the Sandbox Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Sandbox", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json index 9c1c69e4c..3a702a00f 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_backup.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce enhanced recovery and backup policies", "description": "Enforce enhanced recovery and backup policies on assigned scopes.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Backup", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json index 7b07b46bd..cda0df04c 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json index 1cafe91ff..e8fd341a5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20240509.tmpl.json @@ -5,13 +5,15 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html ", "metadata": { - "version": "1.0.0", + "version": "1.0.0-deprecated", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Enforce-EncryptTransit", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20241211", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", @@ -47,9 +49,10 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", - "1.0", - "1.1" + "1.1", + "1.0" ], "metadata": { "displayName": "App Service. Select version minimum TLS Web App config", @@ -356,7 +359,7 @@ "Disabled" ] }, - "StorageminimumTlsVersion": { + "StorageMinimumTlsVersion": { "type": "String", "defaultValue": "TLS1_2", "allowedValues": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json new file mode 100644 index 000000000..bbd694be6 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encrypttransit_20241211.tmpl.json @@ -0,0 +1,919 @@ +{ + "name": "Enforce-EncryptTransit_20241211", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "metadata": { + "version": "1.2.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit_20240509", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.3", + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageMinimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "parameters": { + "effect": { + "value": "[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "parameters": { + "effect": { + "value": "[parameters('FunctionAppTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "parameters": { + "effect": { + "value": "[parameters('LogicAppTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "parameters": { + "effect": { + "value": "[parameters('logicAppHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "parameters": { + "effect": { + "value": "[parameters('appServiceTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "parameters": { + "effect": { + "value": "[parameters('functionAppSlotsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "parameters": { + "effect": { + "value": "[parameters('functionAppHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "parameters": { + "effect": { + "value": "[parameters('appServiceAppSlotsHttps')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-EH-minTLS", + "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", + "parameters": { + "effect": { + "value": "[parameters('eventHubMinTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "parameters": { + "effect": { + "value": "[parameters('sqlManagedTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "parameters": { + "effect": { + "value": "[parameters('sqlDbTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "parameters": { + "effect": { + "value": "[parameters('storageAccountsTls')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "parameters": { + "effect": { + "value": "[parameters('synapseTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json index 395df58bb..a063caade 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_apim.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for API Management", "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "API Management", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json index a571fb9c4..cc18f38cb 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_appservices.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for App Service", "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json index 27e5cb41c..9b4d73046 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_automation.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Automation Account", "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Automation", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json index e27021b39..36d30f960 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Bot Service", "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Bot Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json index a846b06a0..3f27c5966 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json index 856e612df..777dfb308 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_compute.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Compute", "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json index 5477729a9..d1a5a6db8 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerapps.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Apps", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Apps", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json index 0b1598cc7..6d98f353c 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerinstance.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Instance", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Instances", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json index edb893f56..d32c8fb91 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_containerregistry.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Registry", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Registry", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json index 8fd6bbca9..748b17afd 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cosmosdb.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cosmos DB", "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cosmos DB", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json index 5a53702d3..10db9b7aa 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_dataexplorer.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Explorer", "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Azure Data Explorer", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json index 0c87a56ff..1bbc8596d 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_datafactory.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Factory", "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Data Factory", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json index 98870d1d7..04400b180 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventgrid.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Grid", "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Grid", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json index 7b1a8fda5..a0bd42f07 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_eventhub.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Hub", "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json index c46d2cc28..074ec3301 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -21,7 +21,7 @@ "effectKvSoftDelete": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Soft Delete", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -34,7 +34,7 @@ "effectKvPurgeProtection": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Purge Protection", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -47,7 +47,7 @@ "effectKvSecretsExpire": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Secrets Expiry", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -60,7 +60,7 @@ "effectKvKeysExpire": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Keys Expiry", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -73,7 +73,7 @@ "effectKvFirewallEnabled": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Firewall Enabled", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -86,7 +86,7 @@ "effectKvCertLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Certificate Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -118,7 +118,7 @@ "effectKvKeysLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Keys Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -139,7 +139,7 @@ "effectKvSecretsLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Secrets Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json index 8b4b199fe..c320417ad 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_keyvault_sup.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce additional recommended guardrails for Key Vault", "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json index 85c57faf1..02baf03ba 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_kubernetes.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Kubernetes", "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Kubernetes", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json index 1c683c4a2..fe1a92c92 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json index 269fca49c..377b87fe7 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_mysql.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for MySQL", "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "MySQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json index 28a05525f..3f68f2fed 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_network.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json index 2b6dbbbc5..0c7dac540 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json index 6a7345101..3db617c11 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_postgresql.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for PostgreSQL", "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "PostgreSQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json index 35e5d0060..d4eaf1ef8 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_servicebus.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Service Bus", "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Service Bus", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json index 26a05fd68..b5bbff7e5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_sql.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json index f46109852..f399e8f8c 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_storage.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Storage Account", "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json index 011c041ca..b7ad1eab5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_synapse.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Synapse workspaces", "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Synapse", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json index c65b0f739..fe2c85596 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_virtualdesktop.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Virtual Desktop", "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Desktop Virtualization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [