Update Library Templates (automated)

modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json

@@ -67,6 +67,8 @@
       "Deny-VNET-Peer-Cross-Sub",
       "Deny-VNET-Peering-To-Non-Approved-VNETs",
       "Deny-VNet-Peering",
+      "DenyAction-ActivityLogs",
+      "DenyAction-DiagnosticLogs",
       "Deploy-ASC-SecurityContacts",
       "Deploy-Budget",
       "Deploy-Custom-Route-Table",
@@ -144,6 +146,7 @@
     "policy_set_definitions": [
       "Audit-UnusedResourcesCostOptimization",
       "Deny-PublicPaaSEndpoints",
+      "DenyAction-DeleteProtection",
       "Deploy-Diagnostics-LogAnalytics",
       "Deploy-MDFC-Config",
       "Deploy-Private-DNS-Zones",

modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json

@@ -48,6 +48,9 @@
       "azureDataFactoryPortalPrivateDnsZoneId": {
         "value": "${private_dns_zone_prefix}privatelink.adf.azure.com"
       },
+      "azureDatabricksPrivateDnsZoneId": {
+        "value": "${private_dns_zone_prefix}privatelink.azuredatabricks.net"
+      },
       "azureHDInsightPrivateDnsZoneId": {
         "value": "${private_dns_zone_prefix}privatelink.azurehdinsight.net"
       },

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_machinelearning_publicnetworkaccess.json

@@ -7,12 +7,13 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access",
-    "description": "Denies public network access for Azure Machine Learning workspaces.",
+    "description": "Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html",
     "metadata": {
       "version": "1.0.0-deprecated",
       "category": "Machine Learning",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "deprecated": true,
+      "supersededBy": "438c38d2-3772-465a-a9cc-7a6666a275ce",
       "alzCloudEnvironments": [
         "AzureCloud"
       ]

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mgmtports_from_internet.json

@@ -12,6 +12,7 @@
       "version": "2.1.0",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",
+      "replacesPolicy": "Deny-RDP-From-Internet",
       "alzCloudEnvironments": [
         "AzureCloud",
         "AzureChinaCloud",

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_postgresql_http.json

@@ -42,8 +42,8 @@
           "TLSEnforcementDisabled"
         ],
         "metadata": {
-          "displayName": "Select version minimum TLS for MySQL server",
-          "description": "Select version  minimum TLS version Azure Database for MySQL server to enforce"
+          "displayName": "Select version minimum TLS for PostgreSQL server",
+          "description": "Select version  minimum TLS version Azure Database for PostgreSQL server to enforce"
         }
       }
     },

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_publicendpoint_mariadb.json

@@ -7,12 +7,13 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "[Deprecated] Public network access should be disabled for MariaDB",
-    "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints",
+    "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html",
     "metadata": {
       "version": "1.0.0-deprecated",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "deprecated": true,
+      "supersededBy": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
       "alzCloudEnvironments": [
         "AzureCloud",
         "AzureChinaCloud",

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_publicip.json

@@ -7,9 +7,10 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "[Deprecated] Deny the creation of public IP",
-    "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.",
+    "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.",
     "metadata": {
       "deprecated": true,
+      "supersededBy": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
       "version": "1.0.0-deprecated",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",

modules/archetypes/lib/policy_definitions/policy_definition_es_deny_rdp_from_internet.json

@@ -7,9 +7,10 @@
     "policyType": "Custom",
     "mode": "All",
     "displayName": "[Deprecated] RDP access from the Internet should be blocked",
-    "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superceded by new custom ALZ policy 'Deny-MgmtPorts-From-Internet'.",
+    "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html",
     "metadata": {
       "deprecated": true,
+      "supersededBy": "Deny-MgmtPorts-From-Internet",
       "version": "1.0.1-deprecated",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",

modules/archetypes/lib/policy_definitions/policy_definition_es_denyaction_activitylogs.json

@@ -0,0 +1,38 @@
+{
+  "name": "DenyAction-ActivityLogs",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "DenyAction implementation on Activity Logs",
+    "description": "This is a DenyAction implementation policy on Activity Logs.",
+    "metadata": {
+      "deprecated": false,
+      "version": "1.0.0",
+      "category": "Monitoring",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {},
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings"
+      },
+      "then": {
+        "effect": "denyAction",
+        "details": {
+          "actionNames": [
+            "delete"
+          ]
+        }
+      }
+    }
+  }
+}

modules/archetypes/lib/policy_definitions/policy_definition_es_denyaction_diagnosticlogs.json

@@ -0,0 +1,38 @@
+{
+  "name": "DenyAction-DiagnosticLogs",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "DenyAction implementation on Diagnostic Logs.",
+    "description": "DenyAction implementation on Diagnostic Logs.",
+    "metadata": {
+      "deprecated": false,
+      "version": "1.0.0",
+      "category": "Monitoring",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {},
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.Insights/diagnosticSettings"
+      },
+      "then": {
+        "effect": "denyAction",
+        "details": {
+          "actionNames": [
+            "delete"
+          ]
+        }
+      }
+    }
+  }
+}

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_diagnostics_cosmosdb.json

@@ -9,7 +9,7 @@
     "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace",
     "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -181,6 +181,10 @@
                         {
                           "category": "GremlinRequests",
                           "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "TableApiRequests",
+                          "enabled": "[parameters('logsEnabled')]"
                         }
                       ]
                     }

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -84,7 +84,7 @@
             ]
           },
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
           "deployment": {
             "properties": {

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_nsg_flowlogs.json

@@ -7,9 +7,10 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics",
-    "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.",
+    "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html",
     "metadata": {
       "deprecated": true,
+      "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091",
       "version": "1.0.0-deprecated",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_nsg_flowlogs_to_la.json

@@ -7,9 +7,10 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics",
-    "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period.",
+    "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html",
     "metadata": {
       "deprecated": true,
+      "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091",
       "version": "1.1.0-deprecated",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -85,7 +85,7 @@
           },
           "name": "current",
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
           "deployment": {
             "properties": {

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json

@@ -9,7 +9,7 @@
     "displayName": "SQL servers deploys a specific min TLS version requirement.",
     "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -72,7 +72,7 @@
           },
           "name": "current",
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+            "/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437"
           ],
           "deployment": {
             "properties": {

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_tde.json

@@ -10,6 +10,7 @@
     "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html",
     "metadata": {
       "deprecated": true,
+      "supersededBy": "86a912f6-9a06-4e26-b447-11b16ba8659f",
       "version": "1.1.1-deprecated",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json

@@ -9,7 +9,7 @@
     "displayName": "SQL managed instances deploy a specific min TLS version requirement.",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.2.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -62,6 +62,7 @@
         "effect": "[parameters('effect')]",
         "details": {
           "type": "Microsoft.Sql/managedInstances",
+          "evaluationDelay": "AfterProvisioningSuccess",
           "existenceCondition": {
             "allOf": [
               {
@@ -72,7 +73,7 @@
           },
           "name": "current",
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+            "/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d"
           ],
           "deployment": {
             "properties": {

modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "Storage",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -84,7 +84,7 @@
           },
           "name": "current",
           "roleDefinitionIds": [
-            "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+            "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
           ],
           "deployment": {
             "properties": {

modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_denyaction_deleteprotection.tmpl.json

@@ -0,0 +1,37 @@
+{
+  "name": "DenyAction-DeleteProtection",
+  "type": "Microsoft.Authorization/policySetDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings",
+    "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Monitoring",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {},
+    "policyDefinitions": [
+      {
+        "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings",
+        "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs",
+        "parameters": {},
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings",
+        "policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs",
+        "parameters": {},
+        "groupNames": []
+      }
+    ],
+    "policyDefinitionGroups": null
+  }
+}

modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json

@@ -8,7 +8,7 @@
     "displayName": "Deploy Microsoft Defender for Cloud configuration",
     "description": "Deploy Microsoft Defender for Cloud configuration",
     "metadata": {
-      "version": "5.0.1",
+      "version": "6.0.0.",
       "category": "Security Center",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -294,8 +294,8 @@
         "groupNames": []
       },
       {
-        "policyDefinitionReferenceId": "defenderForStorageAccounts",
-        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3",
+        "policyDefinitionReferenceId": "defenderForStorageAccountsV2",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390",
         "parameters": {
           "effect": {
             "value": "[parameters('enableAscForStorage')]"