From 7285aee55c338856e952cba8eb026d9649f84d7b Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 13 Nov 2024 08:01:35 +0000 Subject: [PATCH] Update Library Templates (automated) --- ...type_definition_es_landing_zones.tmpl.json | 2 +- ...archetype_definition_es_platform.tmpl.json | 3 +- .../archetype_definition_es_root.tmpl.json | 3 +- ...ssignment_es_deploy_diag_logscat.tmpl.json | 28 ++ ...ment_es_deploy_private_dns_zones.tmpl.json | 6 +- ...gnment_es_enforce_subnet_private.tmpl.json | 28 ++ ...nition_es_append_appservice_latesttls.json | 5 +- ...nition_es_append_redis_sslenforcement.json | 4 +- .../policy_definition_es_deny_eh_mintls.json | 4 +- .../policy_definition_es_deny_mysql_http.json | 4 +- .../policy_definition_es_deny_redis_http.json | 6 +- .../policy_definition_es_deny_sql_mintls.json | 4 +- ...olicy_definition_es_deny_sqlmi_mintls.json | 6 +- ...efinition_es_deny_vnet_peer_cross_sub.json | 22 +- ...nition_es_deploy_mysql_sslenforcement.json | 4 +- ...n_es_deploy_postgresql_sslenforcement.json | 4 +- ...inition_es_deploy_private_dns_generic.json | 19 +- ...olicy_definition_es_deploy_sql_mintls.json | 4 +- ...icy_definition_es_deploy_sqlmi_mintls.json | 4 +- ...tion_es_deploy_storage_sslenforcement.json | 4 +- ...n_es_deploy_mdfc_config_20240319.tmpl.json | 19 +- ...tion_es_deploy_private_dns_zones.tmpl.json | 328 ++++++++++++++---- ...nition_es_enforce_encryption_cmk.tmpl.json | 24 +- ...es_enforce_guardrails_botservice.tmpl.json | 107 ++++++ ...rce_guardrails_cognitiveservices.tmpl.json | 76 +++- ...force_guardrails_machinelearning.tmpl.json | 166 ++++++++- ...ion_es_enforce_guardrails_openai.tmpl.json | 93 ++++- 27 files changed, 858 insertions(+), 119 deletions(-) create mode 100644 modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json create mode 100644 modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json create mode 100644 modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json index 4891d51b1..b6261825c 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json @@ -8,7 +8,6 @@ "Deny-Privileged-AKS", "Deny-Storage-http", "Deny-Subnet-Without-Nsg", - "Deploy-AKS-Policy", "Deploy-AzSqlDb-Auditing", "Deploy-MDFC-DefSQL-AMA", "Deploy-SQL-TDE", @@ -25,6 +24,7 @@ "Enforce-AKS-HTTPS", "Enforce-ASR", "Enforce-GR-KeyVault", + "Enforce-Subnet-Private", "Enforce-TLS-SSL-H224" ], "policy_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json index 8d6f4e472..44df8988a 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json @@ -11,7 +11,8 @@ "Deploy-VMSS-Monitoring", "Enable-AUM-CheckUpdates", "Enforce-ASR", - "Enforce-GR-KeyVault" + "Enforce-GR-KeyVault", + "Enforce-Subnet-Private" ], "policy_definitions": [], "policy_set_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index 888927d5a..e676b1a2c 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -9,7 +9,7 @@ "Deny-UnmanagedDisk", "Deploy-ASC-Monitoring", "Deploy-AzActivity-Log", - "Deploy-Diag-Logs", + "Deploy-Diag-LogsCat", "Deploy-MDEndpoints", "Deploy-MDEndpointsAMA", "Deploy-MDFC-Config-H224", @@ -200,6 +200,7 @@ "Enforce-Guardrails-APIM", "Enforce-Guardrails-AppServices", "Enforce-Guardrails-Automation", + "Enforce-Guardrails-BotService", "Enforce-Guardrails-CognitiveServices", "Enforce-Guardrails-Compute", "Enforce-Guardrails-ContainerApps", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json new file mode 100644 index 000000000..b09d4d3fc --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json @@ -0,0 +1,28 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-Diag-LogsCat", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", + "displayName": "Enable category group resource logging for supported resources to Log Analytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics." + } + ], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index d36017ea9..f4956f8ae 100644 --- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -210,13 +210,13 @@ "azureStorageTableSecondaryPrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.table.core.windows.net" }, - "azureSiteRecoveryBackupPrivateDnsZoneID": { + "azureSiteRecoveryBackupPrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.${connectivity_location_short}.backup.windowsazure.com" }, - "azureSiteRecoveryBlobPrivateDnsZoneID": { + "azureSiteRecoveryBlobPrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net" }, - "azureSiteRecoveryQueuePrivateDnsZoneID": { + "azureSiteRecoveryQueuePrivateDnsZoneId": { "value": "${private_dns_zone_prefix}privatelink.queue.core.windows.net" } }, diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json new file mode 100644 index 000000000..f2a0da607 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json @@ -0,0 +1,28 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enforce-Subnet-Private", + "dependsOn": [], + "properties": { + "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", + "displayName": "Subnets should be private", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Subnets {enforcementMode} be private." + } + ], + "parameters": { + "effect": { + "value": "Audit" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json index 628ae5b66..547cca8cd 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json @@ -9,7 +9,7 @@ "displayName": "AppService append sites with minimum TLS version to enforce.", "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -35,6 +35,7 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", "1.0", "1.1" @@ -54,7 +55,7 @@ }, { "field": "Microsoft.Web/sites/config/minTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json index 817426388..aac286f37 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -56,7 +56,7 @@ "anyOf": [ { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json index a1e8b33e7..6f7e7a29e 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json @@ -9,7 +9,7 @@ "displayName": "Event Hub namespaces should use a valid TLS version", "description": "Event Hub namespaces should use a valid TLS version.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -52,7 +52,7 @@ "anyOf": [ { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" }, { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json index a8da04389..1c98aa2b4 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json @@ -9,7 +9,7 @@ "displayName": "MySQL database servers enforce SSL connections.", "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -66,7 +66,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json index 73d491ad7..70055987b 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis only secure connections should be enabled", "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,7 +41,7 @@ "1.0" ], "metadata": { - "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "displayName": "Select minimum TLS version for Azure Cache for Redis.", "description": "Select minimum TLS version for Azure Cache for Redis." } } @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json index f859443e7..f9890d9f4 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json @@ -9,7 +9,7 @@ "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json index 951d1ac18..d1d555201 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json index d9d6dd82c..47cf20289 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json @@ -9,7 +9,7 @@ "displayName": "Deny vNet peering cross subscription.", "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -31,6 +31,14 @@ "Disabled" ], "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] } }, "policyRule": { @@ -41,8 +49,16 @@ "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }, { - "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", - "notcontains": "[subscription().id]" + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notIn": "[parameters('allowedVnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notLike": "[concat(subscription().id, '/*')]" + } + ] } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json index 3dca74215..180fb74d1 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json index 3cf45b5ec..e5a74136f 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", - "notEquals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json index caf64db9f..580c205cc 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -34,8 +34,8 @@ "privateDnsZoneId": { "type": "String", "metadata": { - "displayName": "Private DNS Zone ID for Paas services", - "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "displayName": "Private DNS Zone ID for PaaS services", + "description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.", "strongType": "Microsoft.Network/privateDnsZones", "assignPermissions": true } @@ -61,11 +61,24 @@ "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" }, "defaultValue": "PT10M" + }, + "location": { + "type": "String", + "metadata": { + "displayName": "Location (Specify the Private Endpoint location)", + "description": "Specify the Private Endpoint location", + "strongType": "location" + }, + "defaultValue": "northeurope" } }, "policyRule": { "if": { "allOf": [ + { + "field": "location", + "equals": "[parameters('location')]" + }, { "field": "type", "equals": "Microsoft.Network/privateEndpoints" diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json index 48909e0ee..51323d520 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json index a2e4c61ce..fa69bf9b3 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json index 6e0531aa6..5b624d427 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -60,7 +60,7 @@ }, { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", - "notEquals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json index d256cf21d..78698ddef 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "1.0.0", + "version": "2.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -59,6 +59,18 @@ "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." } }, + "createResourceGroup": { + "type": "Boolean", + "metadata": { + "displayName": "Create resource group", + "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group." + }, + "defaultValue": true, + "allowedValues": [ + true, + false + ] + }, "enableAscForCosmosDbs": { "type": "String", "allowedValues": [ @@ -355,7 +367,7 @@ }, { "policyDefinitionReferenceId": "defenderForCspm", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", "parameters": { "effect": { "value": "[parameters('enableAscForCspm')]" @@ -386,6 +398,9 @@ "resourceGroupLocation": { "value": "[parameters('ascExportResourceGroupLocation')]" }, + "createResourceGroup": { + "value": "[parameters('createResourceGroup')]" + }, "workspaceResourceId": { "value": "[parameters('logAnalytics')]" } diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json index 27be37895..f016bc3f5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.2.0", + "version": "2.3.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -16,6 +16,184 @@ ] }, "parameters": { + "dnsZoneSubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Subscription Id", + "description": "The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified." + } + }, + "dnsZoneResourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Resource Group Name", + "description": "The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified." + } + }, + "dnsZoneResourceType": { + "type": "string", + "defaultValue": "Microsoft.Network/privateDnsZones", + "metadata": { + "displayName": "Resource Type", + "description": "The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified." + } + }, + "dnsZoneRegion": { + "type": "string", + "defaultValue": "changeme", + "metadata": { + "displayName": "Region", + "description": "The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified." + } + }, + "dnzZoneRegionShortNames": { + "type": "object", + "defaultValue": { + "changeme": "changeme", + "australiacentral": "acl", + "australiacentral2": "acl2", + "australiaeast": "ae", + "australiasoutheast": "ase", + "brazilsoutheast": "bse", + "brazilsouth": "brs", + "canadacentral": "cnc", + "canadaeast": "cne", + "centralindia": "inc", + "centralus": "cus", + "centraluseuap": "ccy", + "chilecentral": "clc", + "eastasia": "ea", + "eastus": "eus", + "eastus2": "eus2", + "eastus2euap": "ecy", + "francecentral": "frc", + "francesouth": "frs", + "germanynorth": "gn", + "germanywestcentral": "gwc", + "israelcentral": "ilc", + "italynorth": "itn", + "japaneast": "jpe", + "japanwest": "jpw", + "koreacentral": "krc", + "koreasouth": "krs", + "malaysiasouth": "mys", + "malaysiawest": "myw", + "mexicocentral": "mxc", + "newzealandnorth": "nzn", + "northcentralus": "ncus", + "northeurope": "ne", + "norwayeast": "nwe", + "norwaywest": "nww", + "polandcentral": "plc", + "qatarcentral": "qac", + "southafricanorth": "san", + "southafricawest": "saw", + "southcentralus": "scus", + "southeastasia": "sea", + "southindia": "ins", + "spaincentral": "spc", + "swedencentral": "sdc", + "swedensouth": "sds", + "switzerlandnorth": "szn", + "switzerlandwest": "szw", + "taiwannorth": "twn", + "uaecentral": "uac", + "uaenorth": "uan", + "uksouth": "uks", + "ukwest": "ukw", + "westcentralus": "wcus", + "westeurope": "we", + "westindia": "inw", + "westus": "wus", + "westus2": "wus2", + "westus3": "wus3" + }, + "metadata": { + "displayName": "Region Short Name Mapping", + "description": "Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used." + } + }, + "dnsZoneNames": { + "type": "object", + "defaultValue": { + "azureAcrPrivateDnsZoneId": "privatelink.azurecr.io", + "azureAcrDataPrivateDnsZoneId": "{regionName}.data.privatelink.azurecr.io", + "azureAppPrivateDnsZoneId": "privatelink.azconfig.io", + "azureAppServicesPrivateDnsZoneId": "privatelink.azurewebsites.net", + "azureArcGuestconfigurationPrivateDnsZoneId": "privatelink.guestconfiguration.azure.com", + "azureArcHybridResourceProviderPrivateDnsZoneId": "privatelink.his.arc.azure.com", + "azureArcKubernetesConfigurationPrivateDnsZoneId": "privatelink.dp.kubernetesconfiguration.azure.com", + "azureAsrPrivateDnsZoneId": "privatelink.siterecovery.windowsazure.com", + "azureAutomationDSCHybridPrivateDnsZoneId": "privatelink.azure-automation.net", + "azureAutomationWebhookPrivateDnsZoneId": "privatelink.azure-automation.net", + "azureBatchPrivateDnsZoneId": "privatelink.batch.azure.com", + "azureBotServicePrivateDnsZoneId": "privatelink.directline.botframework.com", + "azureCognitiveSearchPrivateDnsZoneId": "privatelink.search.windows.net", + "azureCognitiveServicesPrivateDnsZoneId": "privatelink.cognitiveservices.azure.com", + "azureCosmosCassandraPrivateDnsZoneId": "privatelink.cassandra.cosmos.azure.com", + "azureCosmosGremlinPrivateDnsZoneId": "privatelink.gremlin.cosmos.azure.com", + "azureCosmosMongoPrivateDnsZoneId": "privatelink.mongo.cosmos.azure.com", + "azureCosmosSQLPrivateDnsZoneId": "privatelink.documents.azure.com", + "azureCosmosTablePrivateDnsZoneId": "privatelink.table.cosmos.azure.com", + "azureDataExplorerPrivateDnsZoneId": "privatelink.{regionName}.kusto.windows.net", + "azureDataFactoryPortalPrivateDnsZoneId": "privatelink.adf.azure.com", + "azureDataFactoryPrivateDnsZoneId": "privatelink.datafactory.azure.net", + "azureDatabricksPrivateDnsZoneId": "privatelink.azuredatabricks.net", + "azureDiskAccessPrivateDnsZoneId": "privatelink.blob.core.windows.net", + "azureEventGridDomainsPrivateDnsZoneId": "privatelink.eventgrid.azure.net", + "azureEventGridTopicsPrivateDnsZoneId": "privatelink.eventgrid.azure.net", + "azureEventHubNamespacePrivateDnsZoneId": "privatelink.servicebus.windows.net", + "azureFilePrivateDnsZoneId": "privatelink.afs.azure.net", + "azureHDInsightPrivateDnsZoneId": "privatelink.azurehdinsight.net", + "azureIotCentralPrivateDnsZoneId": "privatelink.azureiotcentral.com", + "azureIotDeviceupdatePrivateDnsZoneId": "privatelink.azure-devices.net", + "azureIotHubsPrivateDnsZoneId": "privatelink.azure-devices.net", + "azureIotPrivateDnsZoneId": "privatelink.azure-devices-provisioning.net", + "azureKeyVaultPrivateDnsZoneId": "privatelink.vaultcore.azure.net", + "azureKubernetesManagementPrivateDnsZoneId": "privatelink.{regionName}.azmk8s.io", + "azureMachineLearningWorkspacePrivateDnsZoneId": "privatelink.api.azureml.ms", + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": "privatelink.notebooks.azure.net", + "azureManagedGrafanaWorkspacePrivateDnsZoneId": "privatelink.grafana.azure.com", + "azureMediaServicesKeyPrivateDnsZoneId": "privatelink.media.azure.net", + "azureMediaServicesLivePrivateDnsZoneId": "privatelink.media.azure.net", + "azureMediaServicesStreamPrivateDnsZoneId": "privatelink.media.azure.net", + "azureMigratePrivateDnsZoneId": "privatelink.prod.migration.windowsazure.com", + "azureMonitorPrivateDnsZoneId1": "privatelink.monitor.azure.com", + "azureMonitorPrivateDnsZoneId2": "privatelink.oms.opinsights.azure.com", + "azureMonitorPrivateDnsZoneId3": "privatelink.ods.opinsights.azure.com", + "azureMonitorPrivateDnsZoneId4": "privatelink.agentsvc.azure-automation.net", + "azureMonitorPrivateDnsZoneId5": "privatelink.blob.core.windows.net", + "azureRedisCachePrivateDnsZoneId": "privatelink.redis.cache.windows.net", + "azureServiceBusNamespacePrivateDnsZoneId": "privatelink.servicebus.windows.net", + "azureSignalRPrivateDnsZoneId": "privatelink.service.signalr.net", + "azureSiteRecoveryBackupPrivateDnsZoneId": "privatelink.{regionCode}.backup.windowsazure.com", + "azureSiteRecoveryBlobPrivateDnsZoneId": "privatelink.blob.core.windows.net", + "azureSiteRecoveryQueuePrivateDnsZoneId": "privatelink.queue.core.windows.net", + "azureStorageBlobPrivateDnsZoneId": "privatelink.blob.core.windows.net", + "azureStorageBlobSecPrivateDnsZoneId": "privatelink.blob.core.windows.net", + "azureStorageDFSPrivateDnsZoneId": "privatelink.dfs.core.windows.net", + "azureStorageDFSSecPrivateDnsZoneId": "privatelink.dfs.core.windows.net", + "azureStorageFilePrivateDnsZoneId": "privatelink.file.core.windows.net", + "azureStorageQueuePrivateDnsZoneId": "privatelink.queue.core.windows.net", + "azureStorageQueueSecPrivateDnsZoneId": "privatelink.queue.core.windows.net", + "azureStorageStaticWebPrivateDnsZoneId": "privatelink.web.core.windows.net", + "azureStorageStaticWebSecPrivateDnsZoneId": "privatelink.web.core.windows.net", + "azureStorageTablePrivateDnsZoneId": "privatelink.table.core.windows.net", + "azureStorageTableSecondaryPrivateDnsZoneId": "privatelink.table.core.windows.net", + "azureSynapseDevPrivateDnsZoneId": "privatelink.dev.azuresynapse.net", + "azureSynapseSQLPrivateDnsZoneId": "privatelink.sql.azuresynapse.net", + "azureSynapseSQLODPrivateDnsZoneId": "privatelink.sql.azuresynapse.net", + "azureVirtualDesktopHostpoolPrivateDnsZoneId": "privatelink.wvd.microsoft.com", + "azureVirtualDesktopWorkspacePrivateDnsZoneId": "privatelink.wvd.microsoft.com", + "azureWebPrivateDnsZoneId": "privatelink.webpubsub.azure.com" + }, + "metadata": { + "displayName": "DNS Zone Names", + "description": "The list of private DNS zone names to be used for the Azure PaaS services." + } + }, "azureFilePrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -592,29 +770,29 @@ "description": "Private DNS Zone Identifier" } }, - "azureSiteRecoveryBackupPrivateDnsZoneID": { + "azureSiteRecoveryBackupPrivateDnsZoneId": { "type": "string", "defaultValue": "", "metadata": { - "displayName": "azureSiteRecoveryBackupPrivateDnsZoneID", + "displayName": "azureSiteRecoveryBackupPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", "description": "Private DNS Zone Identifier" } }, - "azureSiteRecoveryBlobPrivateDnsZoneID": { + "azureSiteRecoveryBlobPrivateDnsZoneId": { "type": "string", "defaultValue": "", "metadata": { - "displayName": "azureSiteRecoveryBlobPrivateDnsZoneID", + "displayName": "azureSiteRecoveryBlobPrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", "description": "Private DNS Zone Identifier" } }, - "azureSiteRecoveryQueuePrivateDnsZoneID": { + "azureSiteRecoveryQueuePrivateDnsZoneId": { "type": "string", "defaultValue": "", "metadata": { - "displayName": "azureSiteRecoveryQueuePrivateDnsZoneID", + "displayName": "azureSiteRecoveryQueuePrivateDnsZoneId", "strongType": "Microsoft.Network/privateDnsZones", "description": "Private DNS Zone Identifier" } @@ -650,7 +828,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureFilePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -663,7 +841,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureAutomationWebhookPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "Webhook" @@ -679,7 +857,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "DSCAndHybridWorker" @@ -695,7 +873,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCosmosSQLPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "SQL" @@ -711,7 +889,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCosmosMongoPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "MongoDB" @@ -727,7 +905,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCosmosCassandraPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "Cassandra" @@ -743,7 +921,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCosmosGremlinPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "Gremlin" @@ -759,7 +937,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCosmosTablePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "Table" @@ -775,7 +953,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureDataFactoryPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "listOfGroupIds": { "value": [ @@ -793,7 +971,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureDataFactoryPortalPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "listOfGroupIds": { "value": [ @@ -811,7 +989,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureDatabricksPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "groupId": { "value": "databricks_ui_api" @@ -827,7 +1005,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureDatabricksPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "groupId": { "value": "browser_authentication" @@ -843,7 +1021,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureHDInsightPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "groupId": { "value": "cluster" @@ -859,7 +1037,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureMigratePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -872,7 +1050,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageBlobPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -885,7 +1063,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageBlobSecPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -898,7 +1076,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageQueuePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -911,7 +1089,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageQueueSecPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -924,7 +1102,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageFilePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -937,7 +1115,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageStaticWebPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -950,7 +1128,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -963,7 +1141,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageDFSPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -976,7 +1154,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageDFSSecPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -989,7 +1167,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureSynapseSQLPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "targetSubResource": { "value": "Sql" @@ -1005,7 +1183,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureSynapseSQLODPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "targetSubResource": { "value": "SqlOnDemand" @@ -1021,7 +1199,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureSynapseDevPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "targetSubResource": { "value": "Dev" @@ -1037,7 +1215,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureMediaServicesKeyPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "groupId": { "value": "keydelivery" @@ -1053,7 +1231,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureMediaServicesLivePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "groupId": { "value": "liveevent" @@ -1069,7 +1247,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureMediaServicesStreamPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "groupId": { "value": "streamingendpoint" @@ -1085,19 +1263,19 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365", "parameters": { "privateDnsZoneId1": { - "value": "[parameters('azureMonitorPrivateDnsZoneId1')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZoneId2": { - "value": "[parameters('azureMonitorPrivateDnsZoneId2')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZoneId3": { - "value": "[parameters('azureMonitorPrivateDnsZoneId3')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZoneId4": { - "value": "[parameters('azureMonitorPrivateDnsZoneId4')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZoneId5": { - "value": "[parameters('azureMonitorPrivateDnsZoneId5')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1110,7 +1288,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureWebPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1123,7 +1301,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureBatchPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1136,7 +1314,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureAppPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1149,7 +1327,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureAsrPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1162,7 +1340,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureIotPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1175,7 +1353,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureKeyVaultPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1188,7 +1366,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureSignalRPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1201,7 +1379,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureAppServicesPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1214,7 +1392,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect1')]" @@ -1227,7 +1405,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureDiskAccessPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1240,7 +1418,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1253,7 +1431,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureIotHubsPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect1')]" @@ -1266,7 +1444,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect1')]" @@ -1279,7 +1457,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureRedisCachePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1292,7 +1470,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureAcrPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1305,7 +1483,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1318,10 +1496,10 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "secondPrivateDnsZoneId": { - "value": "[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1334,7 +1512,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1347,7 +1525,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1360,7 +1538,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureBotServicePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1373,7 +1551,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1386,7 +1564,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "connection" @@ -1402,7 +1580,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateEndpointGroupId": { "value": "feed" @@ -1418,7 +1596,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureIotDeviceupdatePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1431,13 +1609,13 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", "parameters": { "privateDnsZoneIDForGuestConfiguration": { - "value": "[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZoneIDForHybridResourceProvider": { - "value": "[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZoneIDForKubernetesConfiguration": { - "value": "[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1450,7 +1628,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureIotCentralPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1463,7 +1641,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageTablePrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1476,7 +1654,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", "parameters": { "privateDnsZoneId": { - "value": "[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" @@ -1489,13 +1667,13 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", "parameters": { "privateDnsZone-Backup": { - "value": "[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZone-Blob": { - "value": "[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "privateDnsZone-Queue": { - "value": "[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]" + "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" }, "effect": { "value": "[parameters('effect')]" diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json index a51b7de08..7b07b46bd 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.0.0", + "version": "3.1.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -329,6 +329,18 @@ "Deny", "Disabled" ] + }, + "botServiceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] } }, "policyDefinitions": [ @@ -621,6 +633,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", + "parameters": { + "effect": { + "value": "[parameters('botServiceCmk')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json new file mode 100644 index 000000000..e27021b39 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json @@ -0,0 +1,107 @@ +{ + "name": "Enforce-Guardrails-BotService", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Bot Service", + "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Bot Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "botServiceValidUri": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceIsolatedMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "botServicePrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a", + "parameters": { + "effect": { + "value": "[parameters('botServiceValidUri')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e", + "parameters": { + "effect": { + "value": "[parameters('botServiceIsolatedMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a", + "parameters": { + "effect": { + "value": "[parameters('botServiceLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-BotService-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e", + "parameters": { + "effect": { + "value": "[parameters('botServicePrivateLink')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json index a10aab0ab..a846b06a0 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -44,6 +44,14 @@ "Disabled" ] }, + "cognitiveServicesLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, "modifyCognitiveSearchPublicEndpoint": { "type": "string", "defaultValue": "Modify", @@ -59,6 +67,32 @@ "Modify", "Disabled" ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +145,46 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesCustomerStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesResourceLogs')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json index a4a15c22a..1c683c4a2 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -59,6 +59,80 @@ "Modify", "Disabled" ] + }, + "mlIdleShutdown": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlVirtualNetwork": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlLegacyMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "mlAllowedRegistryDeploy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Deny", + "Disabled" + ] + }, + "mlAllowedModule": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedPython": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedRegistries": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +185,96 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449", + "parameters": { + "effect": { + "value": "[parameters('mlIdleShutdown')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "parameters": { + "effect": { + "value": "[parameters('mlVirtualNetwork')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7", + "parameters": { + "effect": { + "value": "[parameters('mlLegacyMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "parameters": { + "effect": { + "value": "[parameters('mlPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "parameters": { + "effect": { + "value": "[parameters('mlResourceLogs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedRegistryDeploy')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedModule')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedPython')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedRegistries')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json index f58a16c10..2b6dbbbc5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -70,6 +70,47 @@ "Deny", "Disabled" ] + }, + "azureAiNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "azureAiPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "azureAiDisableLocalKey": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDisableLocalKey2": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDiagSettings": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -132,6 +173,56 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": { + "effect": { + "value": "[parameters('azureAiNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", + "parameters": { + "effect": { + "value": "[parameters('azureAiPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544", + "parameters": { + "effect": { + "value": "[parameters('azureAiDisableLocalKey')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30", + "parameters": { + "effect": { + "value": "[parameters('azureAiDisableLocalKey2')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", + "parameters": { + "effect": { + "value": "[parameters('azureAiDiagSettings')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null