ALZ Policy Version Pinning Update (#1853)

Azure · Nov 29, 2024 · 4458a51 · 4458a51
1 parent 73d6e73
commit 4458a51
Show file tree

Hide file tree

Showing 77 changed files with 658 additions and 152 deletions.
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -52,6 +52,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 ### 🔃 Policy Refresh Q2 FY25
 
+- *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version.
 - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group.
 - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html).
 - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder.

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json
@@ -26,7 +26,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66"
+            "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
+            "policyVersion": "2.*.*"
         },
         "policyAssignmentNames": {
             "auditWAF": "Audit-AppGW-WAF",
@@ -42,12 +43,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').auditWAF]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').auditWAF]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/.../managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/.../managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a"
+            "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
+            "policyVersion": "2.*.*"
         },
         "policyAssignmentNames": {
             "auditRGL": "Audit-ResourceRGLocation",
@@ -33,12 +34,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').auditRGL]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').auditRGL]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json
@@ -35,7 +35,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5"
+            "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5",
+            "policyVersion": "1.*.*-preview"
         },
         "policyAssignmentNames": {
             "auditZR": "Audit-ZoneResiliency",
@@ -51,12 +52,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').auditZR]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').auditZR]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/...rm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/...rm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json
@@ -13,7 +13,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99"
+            "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
+            "policyVersion": "7.*.*"
         },
         "policyAssignmentNames": {
             "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS",
@@ -24,12 +25,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "parameters": {
                     "effect": {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json
@@ -13,7 +13,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"
+            "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
+            "policyVersion": "9.*.*"
         },
         "policyAssignmentNames": {
             "denyAksPriv": "Deny-Privileged-AKS",
@@ -24,12 +25,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyAksPriv]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "parameters": {
                     "effect": {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json
@@ -13,7 +13,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"
+            "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
+            "policyVersion": "8.*.*"
         },
         "policyAssignmentNames": {
             "denyHttpIngressAks": "Enforce-AKS-HTTPS",
@@ -24,12 +25,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyHttpIngressAks]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "parameters": {
                     "effect": {

diff --git a/...managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json b/...managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json
@@ -25,7 +25,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
+            "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+            "policyVersion": "2.*.*"
         },
         "policyAssignmentNames": {
             "denyClassicResources": "Deny-Classic-Resources",
@@ -41,12 +42,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyClassicResources]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyClassicResources]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/...Arm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json b/...Arm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json
@@ -25,7 +25,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
+            "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+            "policyVersion": "2.*.*"
         },
         "policyAssignmentNames": {
             "denyHybridNetworking": "Deny-HybridNetworking",
@@ -41,12 +42,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyHybridNetworking]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyHybridNetworking]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900"
+            "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
+            "policyVersion": "1.*.*"
          },
         "policyAssignmentNames": {
             "denyIpForwarding": "Deny-IP-forwarding",
@@ -33,7 +34,7 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyIpForwarding]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
@@ -44,7 +45,8 @@
                         "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
                     }
                 ],
-                "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]"
+                "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]"
             }
         }        
     ],

diff --git a/...managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json b/...managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114"
+            "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114",
+            "policyVersion": "1.*.*"
         },
         "policyAssignmentNames": {
             "denyPipOnNIC": "Deny-Public-IP-On-NIC",
@@ -33,12 +34,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyPipOnNic]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyPipOnNic]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
+            "denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
+            "policyVersion": "2.*.*"
         },
         "policyAssignmentNames": {
             "denyPip": "Deny-Public-IP",
@@ -33,12 +34,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyPip]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyPip]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/.../managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json b/.../managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9"
+            "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
+            "policyVersion": "2.*.*"
         },
         "policyAssignmentNames": {
             "storageHttps": "Deny-Storage-http",
@@ -33,12 +34,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').storageHttps]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').storageHttps]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
+            "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
+            "policyVersion": "1.*.*"
         },
         "policyAssignmentNames": {
             "denyVMUnmanagedDisk": "Deny-UnmanagedDisk",
@@ -33,12 +34,13 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').denyVMUnmanagedDisk]",
             "properties": {
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').denyVMUnmanagedDisk]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json
@@ -17,7 +17,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
+            "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
+            "policyVersion": "57.*.*"
         },
         "policyAssignmentNames": {
             "ascMonitoring": "Deploy-ASC-Monitoring",
@@ -33,7 +34,7 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').ascMonitoring]",
             "location": "[deployment().location]",
             "identity": {
@@ -43,6 +44,7 @@
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json
@@ -29,7 +29,8 @@
     },
     "variables": {
         "policyDefinitions": {
-            "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f"
+            "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
+            "policyVersion": "1.*.*"
         },
         "policyAssignmentNames": {
             "azureActivityLog": "Deploy-AzActivity-Log",
@@ -51,7 +52,7 @@
     "resources": [
         {
             "type": "Microsoft.Authorization/policyAssignments",
-            "apiVersion": "2022-06-01",
+            "apiVersion": "2024-04-01",
             "name": "[variables('policyAssignmentNames').azureActivityLog]",
             "location": "[deployment().location]",
             "identity": {
@@ -61,6 +62,7 @@
                 "description": "[variables('policyAssignmentNames').description]",
                 "displayName": "[variables('policyAssignmentNames').displayName]",
                 "policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]",
+                "definitionVersion": "[variables('policyDefinitions').policyVersion]",
                 "enforcementMode": "[parameters('enforcementMode')]",
                 "nonComplianceMessages": [
                     {