Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Library Templates (automated) #1195

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"Deny-Privileged-AKS",
"Deny-Storage-http",
"Deny-Subnet-Without-Nsg",
"Deploy-AKS-Policy",
"Deploy-AzSqlDb-Auditing",
"Deploy-MDFC-DefSQL-AMA",
"Deploy-SQL-TDE",
Expand All @@ -25,6 +24,7 @@
"Enforce-AKS-HTTPS",
"Enforce-ASR",
"Enforce-GR-KeyVault",
"Enforce-Subnet-Private",
"Enforce-TLS-SSL-H224"
],
"policy_definitions": [],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
"Deploy-VMSS-Monitoring",
"Enable-AUM-CheckUpdates",
"Enforce-ASR",
"Enforce-GR-KeyVault"
"Enforce-GR-KeyVault",
"Enforce-Subnet-Private"
],
"policy_definitions": [],
"policy_set_definitions": [],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"Deny-UnmanagedDisk",
"Deploy-ASC-Monitoring",
"Deploy-AzActivity-Log",
"Deploy-Diag-Logs",
"Deploy-Diag-LogsCat",
"Deploy-MDEndpoints",
"Deploy-MDEndpointsAMA",
"Deploy-MDFC-Config-H224",
Expand Down Expand Up @@ -200,6 +200,7 @@
"Enforce-Guardrails-APIM",
"Enforce-Guardrails-AppServices",
"Enforce-Guardrails-Automation",
"Enforce-Guardrails-BotService",
"Enforce-Guardrails-CognitiveServices",
"Enforce-Guardrails-Compute",
"Enforce-Guardrails-ContainerApps",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "Deploy-Diag-LogsCat",
"location": "${default_location}",
"dependsOn": [],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.",
"displayName": "Enable category group resource logging for supported resources to Log Analytics",
"policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5",
"enforcementMode": "Default",
"nonComplianceMessages": [
{
"message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics."
}
],
"parameters": {
"logAnalytics": {
"value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
}
},
"scope": "${current_scope_resource_id}",
"notScopes": []
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -210,13 +210,13 @@
"azureStorageTableSecondaryPrivateDnsZoneId": {
"value": "${private_dns_zone_prefix}privatelink.table.core.windows.net"
},
"azureSiteRecoveryBackupPrivateDnsZoneID": {
"azureSiteRecoveryBackupPrivateDnsZoneId": {
"value": "${private_dns_zone_prefix}privatelink.${connectivity_location_short}.backup.windowsazure.com"
},
"azureSiteRecoveryBlobPrivateDnsZoneID": {
"azureSiteRecoveryBlobPrivateDnsZoneId": {
"value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net"
},
"azureSiteRecoveryQueuePrivateDnsZoneID": {
"azureSiteRecoveryQueuePrivateDnsZoneId": {
"value": "${private_dns_zone_prefix}privatelink.queue.core.windows.net"
}
},
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "Enforce-Subnet-Private",
"dependsOn": [],
"properties": {
"description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
"displayName": "Subnets should be private",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837",
"enforcementMode": "Default",
"nonComplianceMessages": [
{
"message": "Subnets {enforcementMode} be private."
}
],
"parameters": {
"effect": {
"value": "Audit"
}
},
"scope": "${current_scope_resource_id}",
"notScopes": []
},
"location": "${default_location}",
"identity": {
"type": "None"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "AppService append sites with minimum TLS version to enforce.",
"description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "App Service",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand All @@ -35,6 +35,7 @@
"type": "String",
"defaultValue": "1.2",
"allowedValues": [
"1.3",
"1.2",
"1.0",
"1.1"
Expand All @@ -54,7 +55,7 @@
},
{
"field": "Microsoft.Web/sites/config/minTlsVersion",
"notEquals": "[parameters('minTlsVersion')]"
"less": "[parameters('minTlsVersion')]"
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.",
"description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Cache",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -56,7 +56,7 @@
"anyOf": [
{
"field": "Microsoft.Cache/Redis/minimumTlsVersion",
"notequals": "[parameters('minimumTlsVersion')]"
"less": "[parameters('minimumTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Event Hub namespaces should use a valid TLS version",
"description": "Event Hub namespaces should use a valid TLS version.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Event Hub",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -52,7 +52,7 @@
"anyOf": [
{
"field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
"notEquals": "[parameters('minTlsVersion')]"
"less": "[parameters('minTlsVersion')]"
},
{
"field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "MySQL database servers enforce SSL connections.",
"description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -66,7 +66,7 @@
},
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"notequals": "[parameters('minimalTlsVersion')]"
"less": "[parameters('minimalTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Cache for Redis only secure connections should be enabled",
"description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Cache",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -41,7 +41,7 @@
"1.0"
],
"metadata": {
"displayName": "Select minumum TLS version for Azure Cache for Redis.",
"displayName": "Select minimum TLS version for Azure Cache for Redis.",
"description": "Select minimum TLS version for Azure Cache for Redis."
}
}
Expand All @@ -61,7 +61,7 @@
},
{
"field": "Microsoft.Cache/Redis/minimumTlsVersion",
"notequals": "[parameters('minimumTlsVersion')]"
"less": "[parameters('minimumTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure SQL Database should have the minimal TLS version set to the highest version",
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -61,7 +61,7 @@
},
{
"field": "Microsoft.Sql/servers/minimalTlsVersion",
"notequals": "[parameters('minimalTlsVersion')]"
"less": "[parameters('minimalTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
"policyType": "Custom",
"mode": "Indexed",
"displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version",
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
"description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -61,7 +61,7 @@
},
{
"field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
"notequals": "[parameters('minimalTlsVersion')]"
"less": "[parameters('minimalTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Deny vNet peering cross subscription.",
"description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
"metadata": {
"version": "1.0.1",
"version": "1.1.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand All @@ -31,6 +31,14 @@
"Disabled"
],
"defaultValue": "Deny"
},
"allowedVnets": {
"type": "Array",
"metadata": {
"displayName": "Allowed vNets to peer with",
"description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
},
"defaultValue": []
}
},
"policyRule": {
Expand All @@ -41,8 +49,16 @@
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notcontains": "[subscription().id]"
"allOf": [
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notIn": "[parameters('allowedVnets')]"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notLike": "[concat(subscription().id, '/*')]"
}
]
}
]
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -61,7 +61,7 @@
},
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"notequals": "[parameters('minimalTlsVersion')]"
"less": "[parameters('minimalTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ",
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -61,7 +61,7 @@
},
{
"field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion",
"notEquals": "[parameters('minimalTlsVersion')]"
"less": "[parameters('minimalTlsVersion')]"
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Deploy-Private-DNS-Generic",
"description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.",
"metadata": {
"version": "1.0.0",
"version": "2.0.0",
"category": "Networking",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand All @@ -34,8 +34,8 @@
"privateDnsZoneId": {
"type": "String",
"metadata": {
"displayName": "Private DNS Zone ID for Paas services",
"description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.",
"displayName": "Private DNS Zone ID for PaaS services",
"description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.",
"strongType": "Microsoft.Network/privateDnsZones",
"assignPermissions": true
}
Expand All @@ -61,11 +61,24 @@
"description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists"
},
"defaultValue": "PT10M"
},
"location": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the Private Endpoint location)",
"description": "Specify the Private Endpoint location",
"strongType": "location"
},
"defaultValue": "northeurope"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"equals": "[parameters('location')]"
},
{
"field": "type",
"equals": "Microsoft.Network/privateEndpoints"
Expand Down
Loading