From a51d3b062020658da50a150976be5563f0afa6f1 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Wed, 5 Jun 2024 19:43:30 +0200 Subject: [PATCH 01/13] feat: Add DenyAction-DeleteResources policy definition --- eslzArm/eslzArm.json | 18 ++-- ...TION-DeleteResourcesPolicyAssignment.json} | 34 +++++--- .../policyDefinitions/policies.json | 82 ++++++++++--------- .../DenyAction-DeleteResources.json | 72 ++++++++++++++++ src/templates/policies.bicep | 1 + 5 files changed, 151 insertions(+), 56 deletions(-) rename eslzArm/managementGroupTemplates/policyAssignments/{DENYACTION-ResourceDeletionPolicyAssignment.json => DENYACTION-DeleteResourcesPolicyAssignment.json} (51%) create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index ea0462879b..2d88435ad9 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1509,7 +1509,7 @@ "wsStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json')]", "wsSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json')]", "wsVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json')]", - "denyResourceDeletionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json')]" + "denyActionDeleteUAMIAMAPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", @@ -1618,7 +1618,7 @@ "pidCuaDeploymentNameNetworkingNone": "[take(concat('pid-', variables('cuaidNetworkingNone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", "pidCuaDeploymentNameNetworkingHubSpoke": "[take(concat('pid-', variables('cuaidNetworkingHubSpoke'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", "pidCuaDeploymentNameNetworkingVirtualWan": "[take(concat('pid-', variables('cuaidNetworkingVirtualWan'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", - "denyResourceDeletionPolicyDeploymentName": "[take(concat('alz-DenyResourceDeletion', variables('deploymentSuffix')), 64)]", + "denyActionDeleteUAMIAMAPolicyDeploymentName": "[take(concat('alz-DenyActionDeleteUAMI', variables('deploymentSuffix')), 64)]", // Workload Specific Compliance Initiatives "wsCMKDeploymentName": "[take(concat('alz-wsCMK', variables('deploymentSuffix')), 35)]", "wsAPIMDeploymentName": "[take(concat('alz-wsAPIM', variables('deploymentSuffix')), 35)]", @@ -4374,7 +4374,7 @@ "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "[variables('deploymentNames').denyResourceDeletionPolicyDeploymentName]", + "name": "[variables('deploymentNames').denyActionDeleteUAMIAMAPolicyDeploymentName]", "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ @@ -4384,11 +4384,17 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').denyResourceDeletionPolicyAssignment]" + "uri": "[variables('deploymentUris').denyActionDeleteUAMIAMAPolicyAssignment]" }, "parameters": { - "listOfResourceTypesDisallowedForDeletion": { - "value": "[parameters('listOfResourceTypesDisallowedForDeletion')]" + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "resourceName": { + "value": "[variables('platformResourceNames').userAssignedIdentity]" + }, + "resourceType": { + "value": "Microsoft.ManagedIdentity/userAssignedIdentities" } } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json similarity index 51% rename from eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json rename to eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json index d184f11ea1..78c1b55aaa 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json @@ -2,6 +2,12 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -18,22 +24,27 @@ ], "defaultValue": "DenyAction" }, - "listOfResourceTypesDisallowedForDeletion": { - "type": "Array", + "resourceName": { + "type": "string", + "metadata": { + "description": "Provide the name of the resource that you want to protect from accidental deletion." + } + }, + "resourceType": { + "type": "string", "metadata": { - "displayName": "Resource types that cannot be deleted", - "description": "The list of resource types that cannot be deleted." + "description": "Provide the resource type that you want to protect from accidental deletion." } } }, "variables": { "policyDefinitions": { - "denyActionResourceDeletion": "/providers/Microsoft.Authorization/policyDefinitions/78460a36-508a-49a4-b2b2-2f5ec564f4bb" + "denyActionResourceDeletion": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteResources')]" }, "policyAssignmentNames": { - "denyActionResourceDeletion": "DenyAction-Resource-Del", - "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.", - "displayName": "Do not allow deletion of resource types" + "denyActionResourceDeletion": "DenyAction-DeleteUAMIAMA", + "description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.", + "displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA" } }, "resources": [ @@ -50,8 +61,11 @@ "effect": { "value": "[parameters('effect')]" }, - "listOfResourceTypesDisallowedForDeletion": { - "value": "[parameters('listOfResourceTypesDisallowedForDeletion')]" + "resourceName": { + "value": "[parameters('resourceName')]" + }, + "resourceType": { + "value": "[parameters('resourceType')]" } } } diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index c793c31089..84249d3798 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,19 +4,19 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.27.1.19265", - "templateHash": "7304049549738304121" + "version": "0.18.4.5664", + "templateHash": "7536018264178480828" } }, "parameters": { "topLevelManagementGroupPrefix": { "type": "string", "defaultValue": "alz", + "maxLength": 10, "metadata": { - "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" - }, - "maxLength": 10 + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"", + "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!" + } }, "location": { "type": "string", @@ -125,35 +125,36 @@ "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#143": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#144": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#145": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#146": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#147": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of resource types\",\n \"description\": \"This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#146": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#147": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#155": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#156": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#157": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#158": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#159": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#157": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#158": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#159": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#160": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#161": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#162": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#163": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#164": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#165": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#166": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#167": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#168": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#160": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#161": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#162": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#163": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#164": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#165": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#166": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#167": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#168": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#169": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#17": "{\n \"name\": \"Deny-PublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/publicIPAddresses\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#18": "{\n \"name\": \"Deny-RDP-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"3389\"\n },\n {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n \"equals\": \"true\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"3389\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#19": "{\n \"name\": \"Deny-MgmtPorts-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Management port access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.\",\n \"metadata\": {\n \"version\": \"2.1.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ports\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", @@ -405,10 +406,10 @@ "[variables('$fxv#138')]", "[variables('$fxv#139')]", "[variables('$fxv#140')]", - "[variables('$fxv#141')]" + "[variables('$fxv#141')]", + "[variables('$fxv#142')]" ], "AzureCloud": [ - "[variables('$fxv#142')]", "[variables('$fxv#143')]", "[variables('$fxv#144')]", "[variables('$fxv#145')]", @@ -422,10 +423,10 @@ "[variables('$fxv#153')]", "[variables('$fxv#154')]", "[variables('$fxv#155')]", - "[variables('$fxv#156')]" + "[variables('$fxv#156')]", + "[variables('$fxv#157')]" ], "AzureChinaCloud": [ - "[variables('$fxv#157')]", "[variables('$fxv#158')]", "[variables('$fxv#159')]", "[variables('$fxv#160')]", @@ -433,12 +434,13 @@ "[variables('$fxv#162')]", "[variables('$fxv#163')]", "[variables('$fxv#164')]", - "[variables('$fxv#165')]" + "[variables('$fxv#165')]", + "[variables('$fxv#166')]" ], "AzureUSGovernment": [ - "[variables('$fxv#166')]", "[variables('$fxv#167')]", - "[variables('$fxv#168')]" + "[variables('$fxv#168')]", + "[variables('$fxv#169')]" ] }, "policyDefinitionsByCloudType": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json new file mode 100644 index 0000000000..ab9eb03099 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json @@ -0,0 +1,72 @@ +{ + "name": "DenyAction-DeleteResources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Do not allow deletion of resource types", + "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.", + "metadata": { + "version": "1.0.0", + "category": "General", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "resourceName": { + "type": "String", + "metadata": { + "displayName": "Resource Name", + "description": "Provide the name of the resource that you want to protect from accidental deletion." + } + }, + "resourceType": { + "type": "String", + "metadata": { + "displayName": "Resource Type", + "description": "Provide the resource type that you want to protect from accidental deletion." + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "[[parameters('resourceType')]" + }, + { + "field": "name", + "like": "[[parameters('resourceName')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index e2ec8a9d91..0ec8d09707 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -183,6 +183,7 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-NSG.json') // FSI specific policy loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Modify-UDR.json') // FSI specific policy loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Generic.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json') ] AzureCloud: [ loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment From 786143fa736dbc87330bcc326deb8858f1aa620d Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Wed, 5 Jun 2024 21:32:52 +0200 Subject: [PATCH 02/13] fix: Fix syntax error in DenyAction-DeleteResources policy definition --- .../managementGroupTemplates/policyDefinitions/policies.json | 4 ++-- .../policyDefinitions/DenyAction-DeleteResources.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 84249d3798..16daf399f6 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.18.4.5664", - "templateHash": "7536018264178480828" + "templateHash": "1904119621032411499" } }, "parameters": { @@ -125,7 +125,7 @@ "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of resource types\",\n \"description\": \"This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of resource types\",\n \"description\": \"This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json index ab9eb03099..d8fedc8fad 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json @@ -60,7 +60,7 @@ ] }, "then": { - "effect": "[parameters('effect')]", + "effect": "[[parameters('effect')]", "details": { "actionNames": [ "delete" From 664e53ec4167c83c3d9573e63b73c4251a494398 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Wed, 5 Jun 2024 22:04:46 +0200 Subject: [PATCH 03/13] chore: Update policy assignment name in ESLZ ARM template --- eslzArm/eslzArm.json | 2 +- ...nment.json => DENYACTION-DeleteUAMIAMAPolicyAssignment.json} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename eslzArm/managementGroupTemplates/policyAssignments/{DENYACTION-DeleteResourcesPolicyAssignment.json => DENYACTION-DeleteUAMIAMAPolicyAssignment.json} (96%) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 2d88435ad9..4f8e63a38a 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1509,7 +1509,7 @@ "wsStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json')]", "wsSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json')]", "wsVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json')]", - "denyActionDeleteUAMIAMAPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json')]" + "denyActionDeleteUAMIAMAPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json')]" }, // Declaring deterministic deployment names "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json similarity index 96% rename from eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json rename to eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json index 78c1b55aaa..31875c0798 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteResourcesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json @@ -39,7 +39,7 @@ }, "variables": { "policyDefinitions": { - "denyActionResourceDeletion": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteResources')]" + "denyActionResourceDeletion": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources')]" }, "policyAssignmentNames": { "denyActionResourceDeletion": "DenyAction-DeleteUAMIAMA", From 337be7403b636942ddd9030ab67563b278bc3cd6 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Wed, 5 Jun 2024 23:22:02 +0200 Subject: [PATCH 04/13] Update documentation --- docs/wiki/ALZ-Policies.md | 2 +- docs/wiki/Whats-new.md | 6 ++++++ .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 50030 -> 49888 bytes 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 6e3b36f6ca..e76417bc23 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -122,7 +122,7 @@ This management group contains all the platform child management groups, like ma | **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | -| **Do not allow deletion of resource types**\* | **Do not allow deletion of resource types** | `Policy Definition`, **Built-in** | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Assigned to deny the deletion of the User Assignment Managed Identity that is used for AMA. | DenyAction | +| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of resource types** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 9d8efd68fb..5191c17b13 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -45,6 +45,12 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### June 2024 + +#### Tooling + +- Added new custom Policy that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management it blocks delete calls using deny action effect. + ### 🆕 AMA Updates The ALZ Portal Accelerator has been enhanced with the latest AMA updates, ensuring a seamless and efficient management experience. 🚀 diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx index ad5bfd895d8bcd28e3051f8450f02a355a50a0fd..d5956b164011bcb498e3918ae8522e446350fc9d 100644 GIT binary patch delta 18529 zcmZU)V~}P|6D``dZQHhO+qUheZQHh|ZTGZo+n%1b?tJgPaetiiXGiRaS}UtES7z?o z6?Gd9x*rDG7z7ER2f|DI1_c7Lf&l_T1Ofu`vSajgbg?yYbhKsgvbU?%*m5}HK=Nmt z2PlOBeUwTq>x<-u)xvUEH8J6FUSL3gNEDNjbfuM=LJofWMkL>GUEL1NtTswN6c4kq zT80aJbkx(HL@_CBS(Fy5imFScw1e9dNL&&&%RQ=x!EOW4I&5%RR0^Oq1@nL2r#7n1 z6JG2;DuINCC2gq1FfV!LWK~Q9Ha$v%(!{51=#0h*+;*9RVGU47E@e33hgWRnaNUKV zHkh$)OoUyNTi%)|;;@9Usv3dbdrI;5idWv4o!BiBrWB^Ox6$?mGHES|Zv%Zws%|{m1XO^%!Njbt@Ft=TE9qCEcYGp%u zrQqnLSXBgYTj<`bgXue7(zIIa{Bv&VUw)Kl&>;Ze5rJwjV|WZQ2V7v4Eu|lA?Wc9; zjo`>M>Nj6$?4WI6=pgR-L%xw0zhLnyI&F59BPRiJ{i!qRL?ir?T&p$i`tcqsR{_HX zNuCC2;Rip(xL2k3AK?V9jNAD^aL}29H(gI4T?_|yPGq^DvzTL)&w#iBA{ZoFqjky) z@D2dBwx|58h}+AdmIIPkUs>FeSM7#&u8pt>SGIi?M-vFAg5O{CSYwCGb}#Bl`9Si& zQmw?AaH8dX@8QxMPR?jpZEY-lGCZv5|=TK;90mEQ5MDHOV?P~n_SQ; zGcVI*3V5`#pQVep&IVigsDf)2| zK_+%W7wMRr5jlKD`NdzPkJ1K<2R{I3^(S|l?cMKW^Qf#$=3K!cKsdE_EU_31N>en@ zo_~|+7$Gi(QVVOUH3y8)hw0jCE?F}kBDwRWS%X>GTa2dxTHkKJe4~~~SlVbSVMNmm zM|1bYDATWn?HnC!1yt+t(;Gtj9*8Sim*dmx)A6{6vzm>SBwxm*jU9WB>r;Yrn_RK6 zyM*$k^C`M7SKrX@1_XQ%hAo5gcMXcOpXN+h9}t-SL)r>mLLi{-hLm|p>=dIOa6oRV zzT+knTKFC1ji6W`WfUqUab(M7;Y#&QvCfOLJsxB&g|kJD3dc?V-MVyO)goA0plR-~ zYv1nh=X+UIuVsBpqJ2;!AxT2JTzauS=K0oI_XL{v=6qXetDSeyvtG$n&CA^>Z&m)^ zaMvT?q80E>tfiS?p=Nl;%4hR2U4WO0^okOw;R?@u-eHTIpv@%_%rKi(rIoT`W|b>e zQ#II;>_i*9qdcN=PdUV&HQa@Zq}4`OCwO(mEr%hqC14YB8{=n$=$`PI+qF71H+9h+ z#!RKtUMer~`}i@Y+i&$!2`2K^+E~Qn!nrs1H}6EqRD7w1D?!*0>B86MMgS;ZadCTD zXbLDT&(I;~&?4w`o9s+mG2Q%K4&8Lh*0lpl(#cKeNX!YDA=yT#n06{9nS#LnIbv6K z1_*^+%^$P|7`G71f<-)VO;^goyWqRO6C12WWuJ@v#w$pDfB7SjAT&{uRT^0=fpcPCn-{c4pzn2!1=4CynoB0ui8 z#Gve9af^ZBx2(1LziLz*e5(@N6tg}P9FJ<(}^Yc#n;Q>y6ncFtE2SXCJ zt;`1!^AK?H11}#y8F}&($A5Cg4`E53u?V5X1A7>Wy_stZjm86c5bfWumo~!$nc;(6 zXNq}gqZHyu0`Ve2^|hdH3;^+BxEu)WJ8qf-drSwvYNwALe-@pBf?kgUed%$i!MWVE zf=B#HAEyLMVd77M_zUQl1H2yh%75N(+5z8;{(!gVuel?^hFuRt!aV>l_{W%S;8A}+-p|ur!asd~ zf4_e3v=im$TDh3G70*N+i)Ek|RjA50_cKdhJFE3p*UUhLT*d5DA znjEX3GF8Wt)@h)dCmY&9#>$8qx3pN48`?B49Hua#U;zvR$Rq-qkL5}(m9VrQp^^&R zA+yx*VMwO~EYdGqdaGGk`_ifZ`8e;ioB6Y|2=j6Sq_T=U|) z>kCoqwgE~KLdW6Bc+6i!(e(*|R$IW4&-j7omt3S%yqYy9oTQ_p&Y(kfYmNy3EX}pw zOU7&N&czGlMzuyLOkEs2CSl@P$Cz8dC1K!F6>03OV+B9ke_EUL@GQ!yW`6-1t2a^| zbSpyYWsk&`taA(o$&A!+B;{}>$>l6%PN0nE6%KUx6x!@1c)J z$=T>L^R>GPIig-Qqj^j4r3{F^fzkvt>qqZTN6pd0~AX$lI(k~w@~Yvrq4&??7G ze!wOo;#69l{>1=V(j-q6t1|awc$72W`ym~yREZ|vs!$Y>{y`*j-YGJ`dvQi*jjM}= zI@prWHpz%ksXRsDF(Po1C+TF~bM&B!+7}^^&9?LK7laIuH$Om~3o%pf!!fWYpJ+qp zCITvTEyV){IL(~|ws@VE%^VUW(W1_?6o(4gYz1sLP#u-Y_HD-_(XNJ*f~P31%@z2B zCTm91TAb}zTn$Tn$vLbWb$TgoCy%BOY{CwU>v*mJq8zSS@sUrwesC+tZDsFLGH}80of*J?CX`rod5Gz|xiLdIbiSHui5A3gDwrwF6P1+}7;_j}a?H$=EixLAn^}x~Bgu$VI-# z*FP!mum?K_n0l7OPziHrLW6ANMI~2zCu^hbG|J$MIfmtRc?y6G($GDwbG z#$qQ#beCU==!(Fia-Lu9HuQWvuoB6Jr=AFnX_a4%2^uQ}8taOHD#HVD#Og&T7DJUu zvpWJ{6zy4lt8iz`Q(v0&f!Y<~Q_5vhPi~|~I(L#YcHr0I8>putJwQirB%ePikXa_7 zyYP-Ar%n2YAUnFZCQos%?GU&*P2Ko^wS@tt19$r&{cUC)Z)hHc@|1zc2XcA}Vg4azT zw_9SCulfeaIaPX~L!z-^@DgfPl8|)a?L3^(gltV9Q;zgzAcWdhEL~I_a`$ch28a8R z>PbK(SF)-VEY=o`7g>&!i?D{Yk-<$N_|Y2Ie;IRLrSy0H1jOI!#ltF-?=I{t1OWS8 z&fq>hAWab;3z%m=mR$*C+`YOHpD7DH1@aI09JW8UE8#?wuP3*gfVVIE zpaN7kZCVysryjWzNNx5&wpNymlgN7^hQc_(GDLGNg|8B>oc9Fj(t%daNjoR4UIapJ zVA>|afAq!jkWHB2DOC?ZiR}O{H|y1-&d2%n{D*N3jp*8lY))=o!oJ>oBOya=VfBCU z?NlKc|KO9c;H-qX16HWi)~?`$oODoXv*jZ}PrID(t@Nt14CJ5CI8T?vIhb{Jo&6 zltU9Yy@B=jA~2P-shfyxQmdVaeOw^i{HlXcguZEfM=_w}EXctrLO9N_#${{}TGk^l zBfeBl4h4F?754rKsAc{wcW-^_0%`o8^cmgIXF(}c5fO>D@TG&??nVR(x8c|H4S>-J z>7P8a5tp3Fiw2My0iJopN;UtSK2>3|^eM$5owVLPi`US`-+=N(dRSsvn_P4&O|<7${=uM9a{YEm$hU zJ2zZ0A@eGhAL7;SLtINxF4(xfSumxgi`no0^*#}Gz&awDWX24>P}`<45qF8dP^ZFK zf8M96SJnX%%d%Q*!pk$yDG)~B1km*1$+h)|e6Y|rcMnW|kb+gomNHdV+xEaZ8m?UV zP>I?-ap6&|dmrhz#8KZS)krrv_5jGoSb|)S9SS$il?v(>E>A zt|SG6oK=`O(H<*CsI&O}n6xms_^+&ijx%e{5rnw^w5NEU^$H|DWU$yXSYieh*y7l0 zs$EF{8ab;t@rFj+3sfp~m%1R$KUCtaNt^}1V;nwu=oY;5x&rtU`r{Q#_#HwHWE{QD zNt7weXE1ddEzFE3@{Ux=pyb(jgIh&dS;|v+VVa{;Sh*d(M`CbnKA}AhROtOw77CKb6A#wIct+_=HZSKy0Ch2ME({wbOt z#pqfcm5)?k0eTS=DW5snVG8>E6Th6%ZC%`Y+^}kWw%Y?RdI^=O(eKQ)Dg;ebLu#^Y zP-KSNs(HTX21^3INdNN@_{SZfymK5_-w=~}TU=~5tTz2~6>U#6aGp^kX=3*cISyXu zg&UT<@u@iBW(@ZG^v9@v?gtqCZ>Vf{hvk# z-%@;7cAOd$xYo{o{=cw3DhOKM5QJPw3xv-8AXT=$5fWjx49x?I%s75jSy0jb86gb% zj~%Uda6xHAbIm!L2_2{@%j1xJvt4Iyjh}MMWk@` z6cDJl03!*RqCI>Wbp3=4WA+FT`fn=HyZh(0cW!RwM>5gLB_$ua03s#ZM?s-_tFV%g z3AgVGGmVme?K# z)cSVbWsdJ2Xo5SUDWe&zUrYT`F25uCZ z6it=t-~N}{<8fN&D5=A)un-|NliQQ&-m`qy+mp4Kl>k+ZvyU$Swz}b(vwZ(2c;D}9 z!>xvTjjx)s9}8_|WHwR}Z)rfOQ9KwW*93PATH4{p(hnctZL48Uz+m;}&F1UN;m_lY zZ{O)$fqg&Dp2J7iSk6n$&WZQq!^&gx*SE{d%2bBn_v=y2X+`-@k;6+(!R7O4*R3Ik zpuWSb=FZrPPpcvO#|onR%iE7v*5%3DDXDjg44HE?fd-*L?hWHCWfEX)zXwwsStpnz z8CN1WEf|cj%xoid=w@eJP`rk6f#eT)v3ZD9cz{!BMILDrD*vxVxRI{D1vxcQTwf$X zljT%g6t7b;n}R5MVq{IL~(GMj4YiamMUy#7|! zY@1sLAzL$-n>@JmvI>ACj&0Gm&4kijcA`dvFy{TPcU0=Q*K62+EQV$r_b3JxeHeWno@V2IUc)_B>T+f7BZNV~QLZ|6E>5=rGpF zyeVj%itb^VD}&r!dgjG|*&gb8LC-Rne$}Hgs*hOTJ$oF3f5jS%)oG2(n8q`8SI{Ur z8GRQwIS(K@wmOa=3r@bNtjMiyb!NvwIf5VlY_-S=t*g?AYlCfF3z8{iE~SbLvKHBe zpc6f~gSdrpgJm8@Mg5=*nl=JyCbd|0j3ff$n~CTPb9{|fzqHN+rxKjxj$kJ14#H+> zm6VMk7XGryb~;5e|1X}5>5_$z{F<}GiP9U)4gk_YL~pW6BYBqnvLxnov|bL2@6CZb zfvX_Zaf6Zw4H$5bHH2{vB>qJX4D+ogzr@;_Y63G|Xj4mzC@_l$PYGaS(y-{lp1@9> zbiZ6g-_48-YCFYqgDxB3tu|38(1y~wR>^B3|J3$yc*D#aezM?~0_`;uyStz{eDBk7 z767GPLPllouY9tcM0){mDCLRBXomOX)W$=pwjdGz**4YlUDZ-?jaeUpAp1%PAlPKo zexV!;perT2KhiUnTP^a;WdYEclXNwbSHcObrB(5#6o^M_msXsWjL#qv z537Zyx`R+RorymbHV1c%wlGsd5u^5dwfo5VUppb!PP0_mN|3{9o$P}sOyJK^V@Ac& zgxSvdhEqMUPD`{OLV*<*qM33`@mWWoy(y!rxWUX_ujOHJ-r-Ms#+swYLjGd-+deomBb58XQUNUl4 zeENBfwv?@J^2j!1-JH|m9za}v4~QSqK$M$hCA`NEchnNUdvw1SZD=O<`AdHP(q0Rx z?4|il)o5EnKkl&_wXd0r#n5@!X9g&{#qKJwTd>AGfqg4p$pmJROdMQZ__sw6je=Ti zm5AEhqH*U}N?MGNON-zDrJ1Uf_{Jb-PP9Q=b?}g+`)w_Hl7IpG*m>Bc;g)ADMXLv! z7XFNou#i-Zv(jzMRM))#k4ljOnwk}!Gs_<{o?{h--e`!zxlvZ@S19@CbQXY~JCsvr zRqN0ZelR2<1LPMxx=v~bfj-h|b{&o)H{_8ElSX`5E8js|N1q8dQ@B9$yA~$%5gCNz zX^Bui=WMRmWm9#Fy4aUKN~4Ps$K#1Ay(Z9D#&&B*5s#qg1j~+VFwsOMSR(uvw-_>- zd>~={DLyJU`cuh8YpMC4j~al*mSfJ!TfCpD;CEdokKn!hd~ftBHnVExVls;a9~{Au zzA-rlFsbwR@k-tR;SBLv!nb9^*v|zanL5`3W`t-U9Ow{bG4PHUMzj~cO>3pI12OiT zkAZPj75pHfe0~7;uIEgbBj*o~kPGs@95?V5uxh&Pk04fR8I7{2H5dR~(3@bQ0s>4h zjDw0kVzc<8HN>G1R@t)7PFKV?UaylI_&l7oo((VlY?AUWybDs0fe+!$5|U>Y|`ib6>mUqhf3FIAv{ z4}_cd|7A8`<*n*vGZCqp+oCp@Pk`lsM1+g{1|$H|#Q-MSVFD<q@u{eH3y|ncAys@M!&!-LbFVx4JvDX#aUU32^`Q4$XQ#^Zp&hi>tznBPTPIlZcig z5g{Pm0WMebD}`Xtf@74&IXXwo-IR&GXe3SnOOH`Xf`Nyn1;Qhyu_p-Ct61tyQ7Dh5*Z1^ELKCESa<)jc#R-1nh~I!bpt; zVD7hGor&;KUW?e?z^;d7;nJDjErZMNKt3k|lS`+eu#R^du@;#MJ3h1@Xz(53aqZ)f zw&)yQR8bJ(1xFnr@sE;ytwS``9s4BxMnfSltYoH`dc#v~svn5)Q|raOpM9 zyKp>3Q!Uv21N8$M4idsnQk6&s1P2WP5CL*&z?*yQX7jvsBF?gcbK|ZFHYzHYWWu`A zUO?Cv#rKdT+HogEP~r0;1JCAW!9k+J22wMZNBNDoK}AutV@Z5J3s1LKd3xT}sp~2{(qOHO!b~q$Y4`XUsbd2;}9J(}JBC z?Nfn38DiSTp(nsPV?w%TG<`DK3FO8SMB>0A^&vLi^$9_Ub|;Xh8@n`^&iq5AZ1i`! zBsQBvu`@By4G-55R2?iIL_j!ZD7|*?v6ZDd{(-1P9GQ4O* zqAg+8KZpY9#@7Q?#}eK<*vWR+TvgSD#h*&PS#yN4PL1Hw;sFfuNWvs4>(n$ zcYi8GKzmf088WUK3*P8i{-Sc5^(B)Z>Am5c#HNhNyY6y2fSiRiyl z(*wb2xiAhMGA9MH2kO%yA_bpKG?M?ulG^5roA*SqEaLb~#Q=gt-Wmz41rUvWxk5yc zTB(6VbE;lj2U$#GHso{s`b9{W^sZf4FyM|lfht%)RW2H z#O6PuK})E-#8vns^=X|(_E7$p`tJiCFS07;gNdALT+ zlc+W$r2H7FgmWE$zvYDYKb}$yBsDP7GBO{(5Fwmv)z?_sL5j)|P3ikI2tmjCD{EBT zg}*;5Af*w$M#Ph17DOm;%Q(?QAu!HxkX*GNq#sc}GL>VgI`=t@{mURQ5mRV|eK2(D zvC@)6#a0Fj=&vLYr`=t~f{Yb=+nu4Y0ZVp*wX5BhYld1hUJ8b>qkg^TfXBxG*EgF_ zXs#`X=Z~4uxrSMrrL~(^m?};?j>bwygZ(YxqmRCtkD4jVoEwF2^ii zXuO|a)_%Sn8{$Q_O2iGxTWF z7=m{kDqI`869ZlWavcjaau2)T0WVovVc&$b?zMuK?mTk_{W70x4U22TWDjQtB4JgT z9a;u_g1#?@D-Q4PD-2(S&n2#%N>_#n%hQNoXk%#dhK9S0wh4F*$!t2;ecErrml03k zsGQFkEr;)#l+9T#OHYb>Zx@O+RaE$=b%e_XJfAFo2NIS6KgA}_ml2#-Q?bKpqp&A$ zEb51%Xe+y{DpN#Vn3jFGlG1Fl;PLe$h*Lr2hg^{w1m^^^pKmnj@>_(cdG|B+u;Qzp zZgv=|QHjDti?-ym5{?Pt#VYgm`8{Y8lf4)$8$A`|9_JDHfGb~G?EQ<^RZnyRja!=M zCEraqnjJL2l`uirdr$14+Vr7Skzt0!AzOBgF;&RNvL~uD<|yZcN*8>S5E{y3a#;XdXtSl&KV{&Z=(dh1U zSS~1&)<6&OPU6K_L-0{E)^;O*v3z7k*`Lg?j065c=sf!nA8kHa*dHyg%#b^%|DJwg zZ;ZMI{EpTVUZYqKJ|$sYtH^<7m`CH{G1CkfY+4$PH$qMkMtKM;k2{a6%M(Y9GoaQK&Ym!H zuE&3nZ9!oO9eeyW$JQ|>VunsslX!3#!3drT*cJ(QsSiaYsYM2Yd@(<#nWr9%DJ1iw zn;#m^rb5unFX%)2>`#98qLv5{2|i$-ymk8XTSh~7d$)!q@X>sE6`$+p{vHd$8 z?WK;eqSPOA5nOwq{!HrtJPOD^hc4}E&Tm|-_@+HK5;c1y{o~sIO&^kF8ae}G*Xp4|i>APu zX1FG4o@Rb)i}}j*ilq*Y_b5l%V*U66tBur1c?EH(Aj%hu4hkAS25!oRJE5$C?FpQL z&L7G&@J49UU~x{ol1S5x$jIVWdwcl|pcZzVwKzrwI5rR>cw910qW%Q&lZ&425u3j| zh`x<56@SfZ#mxWqOoq{C7h#3smRFp=-YS)o9A-( zRs7zW4?B|BMcHBU&7gWYh)tTvFh-4cPex<-4A!7a4J_*}>)gF=w=z|7!DgudB(-Mr zalaWv+o!g|$-z{aC*7#E(O~lR&!=}6m*)!YR1573HfGP@Y$KsVwy6*)O3TCYyCRRL z4%I#N7Th7M2~Gxd#n6X0meA2&2~Pfn(NlRY5_iel$v2P1y)Eyk>hQ|uFHvSg#(a0} zszF7-Jj$kL6I`e!Zf1R>J;nnD5SvVHQE6E_Ch24N7#>RmB~ttS;MzA3dOgH@$qER8 zjjbWNV@3P-hT6-1wwzXZ8HC=aDux+)C+V(%Sw==!zFevC_zL3me~lI$=|Yb#DY?Ts zuhXacKc2V}%_$HtwuZak{KgR|(<7ExWe#%V&ZWdZIHVb65kjhIARhw)bS`b945{gZ z-brJf{$Yw@qG0S}GXlRjv!g9Z{b3bNT#wa5?uj z>b2)VFJ)pdXnSxGRGIxIRrYp*1T0 z$N+K2W|3{?d?;dN+n($q&5tXAlICB7`oJ_=RN7YbaPe7jvZ#&IsfBn)Ipxf?U8 z#FvsieMpnd*7yWgT#pceOD6h0%%WN%X!^`*yCC5=pLfz-(MBYKBb;$N@V9Q;HxV`+ z)C`HRMUu(x56{Xghfo8b#;#k=jH?{FPv$z%MIHb2xF%ed*+zkk6DT!P^d|Q5ngdBE zuNyny+_o$K>V=w^GJ}Y@i?`#0+h7sSNiY>_IH0+C>tGXXP77($po6i2Iz4DgSPRS; z0Ucx6%nLt$0=2lqHEh-2CQSgRFa>tfGr=myjwR3fo$8fP z2FkS}rUeWM_zNn2H^vs5(SkNyVA(_(8b1(FGCv9hx9>>&gDn==>++j(567!BHa`A>3a@Czt-hL(#fKatnnENOTn*Mt0{h(%?j9Hx zFlOId+Fn}t~C%-APyl0mjz2ZhrjxO|)YB%%XMe^*~ z#p}CI>0OaaG}8OWEf{!X4(p(NA(>)-PEPH@okq+F(|JeQWVds<(}j*plMCNa)tmM! zaB1i`mm^by!(nqy$l-Zaa$rj8YYr7amU&u;vga4#KIU*Mhbhb6-EM~DnyjmTBk8(u z=(Dyq%fA(T(5Z(uM1ocpg#)Wh)1(rKb}{IM&N8ytf$#&A#%y=nClUDkg974~%(|Z> z(!yTSuaHX>HD)nip#v8$0mZ*qB$4v-u7oudu2}(8YZ5C1lq8NPA==?WT@e5f!sfDq zrov<)V>(S(!kiCOtYc|IP~*_Mj>}!g&=QfMsTZz?aGEvYJNia*XaYv&Tdl-YQE-8B zMlDsY&Hzp+t(Pa78hp>=vyG35`U|I*hHQYUoN8Fcj*MPP-pB-@8_}sfG-@?Yg|Yq; z^%l3%>&r*oHsq8u3mFCr8RZV3=jJGRjCx%R1y65=OlO--1a={?y2-T@f6@u76LHaD zRHvdMa*QE1X|`+@yL!gjAWey)d>{>HB|JgV^jwz6t79DaK$@u4X*B`&-@$iIN}qEQ z@7=9@--1TlVteliK$SU2^ptHy4770r$E(*){4)ctY^Woe08@S7Yuyh zoLi3bypg`Tj(3Sy^78?{(21bc-7R25dvt*j6OezgVS;9~Jm(>5MWLor7!Dgx=IYfo zstB6al2f0W2daf=Oj0DAsv8P`@5E%7+-AxU~EkMyn%rAbkyCy4mzk9n9F- z_EYt1H2_-7%#^q|^|7g>XghP<18_;mod4CVkddpAO)H~}!ju3I13W3_eM>GZT?@GG zelG(^MDkOq%;K%07D$X&6IDf249=_`S-@$Y6cVD+c@1}iyK^qRZ4PsGum%*XAP8OeZA zI4jQj;9vFQ#4+Z=Pk@eQ&8edw>GuLqzGbm8X#z?n(%>_>^p}p3!)+ zsUzb&^1o0x^Hw|vY$%r%hl8W%{ekV=k6{g^n2=DPqMC3`(#oNYS9q+ujZ`(_*W((b zE_&xsx+8z;Dvyg+w%`jT!s>d~QK?a@B94cl9Vcg4Dm=ll?K1z{R^mR9bh_Lv{CmBX zNOcxqU#u3XWn`{uR;fgz+k8l-Z}}+h6BICcO#e>ZY*}YkJ9v^r-d=yspbK1Ut`*lT z9%a2~^4RtO=H3v3L$HvaRbZkZB2OhG=1c%se7@VVI@`{=9IWY19eY6f<{COu9@|^$ zW7;HZO>#A$RPTVG@E7|a{GGO-N328NvMc!Gh{{o179ro(HtOEM`{ljVvQU#hyN2>9 zD~M21Yoj}@6g=2!pVUF|WdNwUT`jEMGXc!VG358&XFM}cg^ab0$+QfXn+Ct`{~iJu z($mO|XHVq78bJ?>bs2qC9b2eN4$5`nCoP@&n^|I5WrLlHxI@UgkeS?m&$-tagVUjX zk<3Yc5O>U_b(8PHxr0L+N#BA8P{*5&)`2#fVn(Je+NSo+DSOCcZ9lxm;$dFq3co;1 zQ}Ol=FNo^pZr8R60qI!3NImZ)?>qvA_vD?CZaRsChUGgPE!+%-e||OP!;5m>7GlZG zA6}y8lyPpMHr2AaINNiF#d#|Qi73sx?8-p(a{KLq{F+AQL;YP}lyUO;TeCL%z)6?k zMUA+4bQW93C{EY9pV?S&2E57`h<)^LCOci5M?U&z>Zd;FA3nH5{$2al^^J7ELj*f+ zH<>>6@H z8y?MS`*&_U7C59<+jg3ov~Oqtv!PFKpAR#Kq-E8s+Hf=HaL;cY!3Y~}17r*R{zbVi zYX^RgyXAz1PbUW?MTW5_pgmCpVe9vZ!~QL9qq$#XXzaDp`L zLD9|~qJJVIb{==aoNl_S$;^kR5Fa?P*^4IdFS0)&uijpP(OOeWLv-mlD zFTXChvC5hA#?*5D`AI@KQwo}Lox2y8QRF)T$Tb?piR$=P7>ojW#*j$#iF`LKji-Y|NC)wm>FuI?8tYFbiz||t z%kn+`i--U@>sJ1pyK7Lf^@Q-UE$Rq}F_H-z=&G6|z1yUyV(FdK{#=c`*{U#ek5D0i zW4RoNZ@w*A-46vQf+ESEdBt`7-jguKZY|y7F7~-JM4&~S3)kgpG#A2AtVb=R0@Wol zy)pgP*-H zDarF5#e;wzv)0mUS$5A>4(aB2Apev#A$50%kiNg=ix5xY*jcn}u` zd)nlXQYLFSh&g^zrxiE2`LoR6e7j060A)Hu#}_3)4t&fGe-dnRZ;`Ix)|HIoc!L{vch$gYUfa)EDo16y(ZgB z-FbU5yK3D`Zx(iv(Q;1ar{5EcV!}^^9^H?`500u&obN^J-{hbBPkf!1E;b`3lv)Ni z;6gyI%J)H26Fw`9O>Z&hiXe>F6#eQZU8rg2n#S)SVXg`{NX%lJD#4vqE7puWWYqNTS~z}+pA8_* z(31srT1IUe{`!aV?fP@z@No(%^_^Fbk{CcXBH_`no<2shwSN6r*+$Jv2RSTjOrmc4 zMm4);GhZ;w%4>Y4+!^DOTq?x|0yX3}UcIb6+(S5XX3E4;U3!#j-*6YE`eay+ynm}2 z;42vy>=QZ0ark7YiVQhGsHL+!)#kBiP!~^1Cya4yg9+94<6c#M0Ksd!j#mx=!N(p-06v1c4G01@k>hUg z0Gf!tIPR$KAP&q#>dXpSVcYP(=;6o9t=YPCvLcGz zKd2hDMzs-n)`mMj+o31TU8r=8=)jg7{%}a>GS4uqu1==H5)_eCa>S=djJ+=^kG}`O z_El=eq(bskDI<-wBNCK%=Fm-Lb_$^;TM2P>_GdQCV5ZxUnn-3i3@3>V5&;r8kBPBH z(TMfaRMesD#{1qDWOaTR#lpgK-hR&hVrVSP#@Nv*moxu{2XF)nRb2LdctOx?k!oBa z3Vu&S?GWiIH2Lu@y?ad^tbfvdna52FRv3$V44l>c)MpJrirA>Wj<)b*k zE4n}T>>ABw$&4b|jbXzf@B(HJ_Ki5WvY!&vUIswcyg*(sbGR=jcL!^m?<%Pe22}^> zC4Kb+hrUEF+|#a~oRB_NAZGs^51$Y4=DPE@S|ZN!GboXnwmkuFy_C9o z&F2A=szuE11BL7WAuA+2ue7+9+L@hS1#@4Uwh89p<2~t*xt|a}FI;htGyKiXzkc@7 zKSp^6?RE>kMYPoF|D>eF84^kX4K?pMzm%CYGvb4AU zG~DS=B*a}2(Te1-K#@Ud(Tn}LC1;%DKa1`2e)s6)@`@W?f8JS$C2ZON_V}e}@9EFx z`*z5^zA?!4#_%S-cd&4cF}ATp2>^UAaS9#|DgKo_lJCYrv`Tg0%ifV&y1aVxi{GQFrDM4;o$%a#UM=pL(hyKEHzkpYP zEAB%}!WFs466R^<-n`Us@r}VkVL-?4i-7ecjIYy~9MPXy%6F#nXMBVRe1L-MkHZS% zrq{>CnyVwTWf{x*IT#f_xmOk_mu;3gN!D-92+k#!2et#O1e1QfH{c)U=N-dOm!~!G z(+exq$=5W#ZyCOdJH{Eg{_nlcAJGuI-F0Jd%|D3?Yp0C2<@lRdIeTUXPtLoDgb&^Y zRK9b&3S4dh%sD?I`PL=sX#h(CcphYYt_*CdWgNX}5G^#7vPwG-hkox}b8yX>qciU_ z@3)-^ddl<07ukNrZccQEngiXMl)Kj5rZ7R#0CvX{l8Si3ua$6bx4U4pyj!Cf3O^ zqnWTnA9tWtuvhy{gdJ+fM^%Fkh7Qt5b{1%J_`B+5OhlP4Tty)=&j4(rupGh^?Wzu9R6`|QfVuT}b>g;w zxCAv95ddwOV;f%WDDBs(PeI|rkSsD!%u$Gwu%C4pXh4=>A{WcjE2VAA@lxO(+goKGg zKZQs}B5_b0eAgB+3mnJ_S{u zPvACs6wzxGkjG*~E*@h;Xs(cZ{ zcG54H@g<_~*n1g>Y9D1;(y|!!oWqtxIdb7>|6SO}xZ%%QV^Z3!lnvKIii0UFCk3M{ zo50qp@P=8c1v16J^@EHtEI#J|*%au8r2Qq-)Y&s<87lU_ApCQBeqOGG`a!79BZ4o;{Uc_4YoA^0M^& zuT>tO1Xtht7YURLEAVApS!~D{2&m`_uF|r;uEghq&P6=!*XCO8m`t(ei(jm>e=hAE zkbK~dbEmd5Rc{!|7+lNVAF#dl;=|KhPY4p;`qPqRht@g(X@?Jj4h&Bv9*sZf%_OaDrkVav)qW$Doz4jL); z+nJmGyfA0mRiCBfNK`L~-Z!;PcHND*N1BWA>S|@#ELiL`v&icTKMrl{2V(`;8xc8m5~oa}vTNre1k=285+OOO!`yi!FOM zVrmDw-+Nh?>05r<%N;b2vYxI;d#LuDOug!(bDxAQ8(8x#Nk=l(5nPtYh6vUc$C8%D z8TY^+HB`6qr(OD+0ar&bDT9;i{1EQ<)s(R{~Ep- zf@85Jqa4l8CZHa=sI%5huhXSY?>-uGa3=rkrA_*D*w{yL+^#TWc%JjPL(s#JAv#mV zy-31DjvpBwYvx)s08@U+e%P3^k*z>V!mJiOJI3DOk1PG3YJq)`Em-;^y(;!xtr~>l z5W&YII(AP`@G)`z#wQz4)QrSi6MhO}*xt0~hUpG}OwtYXpo=SQEmFrr z5T5?}zd>6_CI{Uk6@9PXMzF8p8z`TG6SXzdl6W^$gYH=oWx0|OxhxuXolw|D%~jBp zIh7Z_Tx@wOnVh1FlJI^kVn&7~qKRR)bhv*_bzEcxbLwQcC^^zX=}Kv`&-mc|1lpc| z;GY*?E*{G)I%^Ow+P_eKCEf6_2X1{G72&rt54-$eRk{xvpXZ<0kzWsbZd0%TUj7Y7L&G@}_`}pVja>JJ-(I#^$6JLYNOIqL0@n73WBnbLo_qUe zIQ#aUZMf)H0~>Is%~_-rE+hmx;3%Nfj>LTTtPm2C6U_Ga5S9YD?J@!v3mha58(9nei$z3?;EL{MN!KZE%^i2T}>sAHD)ly$9 zdA@}eQwW3=$%BA)BoHf+0+en9G_)LKcAG(6D!`L&EwIpqf-)i|=&ws(K)?ySfcE@{WDQ<&Od+b^K+kaq8W4L3(4@QI dR*yY2wOP=}0%)%xG^6z^bnHcm(e8ig{V%_hXb1oR delta 18694 zcmXU~V|-Z6(~WJLjqNnHZQHh!8?&)(+ji2RF`J~Z?WFPB=l^@Z+)s06&d$y~yED5J z27VO|-Vg*0n0v;>e}RL5SiymSAcKH_c-b*|I=a}JI6B%gdfD66XxKaMaie?&EPO=h zsaXq_M%_b+g{h06*}GrD%^Udoiil9M#4dlESu0agf7^D<0V(};8GTL!#v3rPZ)uT- z>w4>~n!1j@8{FhmQS2(aDwW%qvw|%85x=o?a-Nj{bj&zU*sw0;N6iVw1$-QuO#j^v zZj?j>v0+()r^y~*7uQIDi*a2^z|%<+V((EBe<7I`HHVLF7w7MUmt^a5C#H_@ zT+{KTpz%rc3xE_|Q7k4+(5OxY$$3^_cbuJGk;InON$OVU!gI))?NCXib*~)}q5Piu zjrfcor-{RxZBSFbrHG0f zO7r3?{ypdqC~VO8xjp&;c$UGYIgK8Ivwb5@3Pki~2&tQJRpB4m2S2Gsz|UAJe)RZA6N$o zV5VorEAWWPgPrJ`@iv#q_9^bw@AlXL?#NhSf=8uDve~xUdLxAAkRQ9L^lhLTbE2DJ zRzwW?`_m4P+Jn(Y_3Q>Umt#sFT+a$L_*a}i)T~s9i<>L$2^ygoE90YBeOGG}O_Mk(1{O zF9Kf$yyyM2L~o%=hAg4l%hoPTAFs!BPGgGcyjCTcSEcG`>J~+-_fd~Rt7@KVKV-)J zAf7D4BdJUuu*gG@NLLWBSznYlXcBaVAI0fG)1T($>Z>z(IrP@@E~%YHn}b%iz`mdA z%JK_eDJ{M!{Vf=L5gMM$j)f)3LTm8Rcjf1Ff!7P<{*;I2VyR%%_?lTdk;lTn7N; z<$$M+#lw{M)<-%=EN_y^T^jle7*k(fsWkF@qf3K4x=Y)?K>cKsn_vw_sg$aq1>-}W zkT4KzA}Ba1qvp_K2f38&v-NU5^Ww*dM`!Y5pK8rIsX&Cq3;`&gTl4KAMQ^-e_#K-t?C1hfc(5J;_p3idp8ds zyKZ;^o${Z52#r6hMY{v5+fpk#lP6AylN-%3n`_|B!QjI9D)owpK|sP9l4}@n0ha&N zAtzPeah(|>{F>@gP^^zC3OxcvOvioBX4ylz_N{|64qPLdyIDR+{_UFA1I4`BK+8DmZPiJ`^%v% z^-R3}I~NfOUT$$K%OyJuyY4-ZWnJBTKR%+x&x>j}+drA_mxg_-I!=S@IXX61|S9WH;7?)9_D?~3&F|{R}sM&nFUzHfm zNH^Cz9LnlgzJoc)OElDRZkcE^n6lKwE|3tyc?T&kK8c1#MeOtd zy*UL3O4wG#H~NcUbN95|IXpN!6Tjd(*zs{VQ{18ZgKa@(8jVU?<9|4N5G~tMi*9;<$^#bZ0@1J$hawq3AZh%gSQeKVBM!99Qf$p#JJ3WDWCPvFi+({|ghV?6 zg!db&LHbAsRp2EogrRP9i)A2TsNNcimmDvlQ3QQtewno#qod6V+W-G1riXh7tdouRf@ZTBs_4U6`PVQyWq7<6A zVb}>Y$ob+GEQ!emq(gQ&i5A(>ECT-G#l_V|Jp+aPa_?AO6M!g6U_RM5qjID!-2=RQ zyglcip3l}3Z+|`R3p#$j-puj!c)zT!3L3@%ueINSkJ*Tbr`_pxp#S~-cI=oK__%#M z9(fOVoxSn!^Sa+I`+B`>2R@nnftRO`*?q(MEe~YkZGac@ZOk@sf4iUH>*+ea`uY0v z^Y7tq1ebcZK3xLl=WSiWCJcOu3+4!s7p`0F(@ zhXoQ`n;~F9!^n;2Zu6QXRR+e`jAMINs%(d3%GiRDPRi2vbJGHjh!?(o@Tt-3kcZGy zUzkd#6DY6)O@xhy?h*hivWF&F_XH`b-v2>guUDJ4{R0Dgj02__cbf>n(Omtx zXuRs~Tr^K%q&xV{$j#nu1TKbkf~yT&0vkvrfndt7@pkzQY`7orYDCEk1;RzL2{FMum$o5b) zyo`uAoLs4MGm4fn&t1x_ATS>u;U@BTPJ=9&SL~?`LKE&9LN(=?CjY!E$yQ$Fel=5p znDtsA8x$yzqsl!(22FJ*`&D=yJ*=wwL;zwf@iMZ3M-6)L2&nDy8L?jWgWmZBn-#Ak zqf*yXU1EUIo{M3LHELQ-B0-Q$S7?^tQKOnILu>`Aqca!#Ir2)i&BLST&gpD)2D+q9 z9aXoG;oXtZ{wO-_7+QusI{jIvfT)o@N*f8Fv4Beji3x1US#n1pG>9ypo|!u*fwdZtmu=ZOw@2@BGXD5N?kg{ zd&M7URfMzHoq83E8QndD&Nk$ezw+XL+eC7)|H_v6hm@*Ig0`v2q0Zb~b{bbN5?T?P zn)`dh=x|A}=c?Bhazod>bHb5%?PN!<*tOh(DS#gI+*Bhd-*}H_x74t)A{0f^ZIXh7R~8yIsGrV> zM5#I|>q35vdDC1Bk1D6}U_9De`5du}N_3WZ~4MPTXmgpS1jGWJl!?8aN*2YTKG5=qLOq54L z{qy23TZsMl^*XtKX|k(BgJ_~dr)d5VL&_|Nrdq0zFaNG|g|$}2C2C&Civ6E|1kb`8 z+|rYF`%FN3phJ#mtW0;(T$U&&9uu9}!#pdqCPS_`lg2g$7lq3WSs=7qVkYB$JuMUB zhb=@|po3$9-dQ);{$|KA>juXjJ;#Fk0g9Y9IV--6jx%waKKXCI0{hjr+CVg+Eq=8O z#0)vlQ)O1$(cK#N`~d;5!_5$kE7AfNIt2q!c{<=~xUFvL-&$7=Q!^o)^(dXlFS;N) zA2iT&oBi5nM}7x$9ZyD2VDdcP&B}uvp5h!#{VWtz<5tftg@q6Gz%Z+#VOD5rR88X4XfW(*4Bw_Yl&21+)e)C_M#j9NF zM&47mrUg338c_vXLmZpBL#%|&NIMDG7q`EH=|nI6=3fgmP}ljRK1Iw$z6cZ^d9&g4 z9BRHS1)&yz&-|xSoeG$3;FQfKcS3zT-;0q=ugJAMuJynP|4E12F=NCGm18~SZ&+i^ zQr2XW^lAu&f6}3aPNxd1Amz9;1iKcyZj`oc#$^*i!{lwoLtxwd{$LSyJ{N@Ept4c; zKld%CLQh3TtQC0|o&D%pAAk@U<=gkwDw&YY&ke~MvOmjZn! z5TCRLSvBMvh;E~?aylK<1fOz=7cV7V>T^d#OGK9)M>o|v!0r)L6@(^4iNQ>XLAh9p zOhQM4P?9Sq)T!jt&sorO_LV_i0O9xF9On--JO3DIfc-kE`?pN#V zK(6m!^vsB(V{j8V=6Z7Cfnfcozwr8D_kj~j!{Fl{k}4#dyp71zp2P0xnnI(xvLCre z!)|)g)XWgTg|;Qk5^V~|-CgDHhro#z_X0Bwftz_A-D9Ig(Q*X?GrD?LPY0h9V-?2| zLVpn{{zyD((r@)NWIq|D-PRX8u1FG|kuapbZA%vPc+N@AfYH*qAFo6ZNw{mmk@)9W z$|hpSWGJK-*}eK;njDaI7Mp3PVvO6^gtL~qY3`9Gm*XJ;L{Q=jl0E1`0hv_|WXzdc zND$+;(E?dp$UlUBG1kvh5h8*9+Znc^p|x{k9M94LBCXRhrpW(TyOh#S!SL8`lJtU) zlenX3}m4tLV2hQ4on4py^HoJ zpsA&k?-5$p(TX{UJM`?Y+~`8`<-BjU|4IN>9WWMDBGBjb1X;6*2s-%j1bWDm3-G>F z->?ponpITd5MN(9Pl3{dB!gy*4zDdfWkUqLyL({uX)B9qT6Hw}a!`FD$xg$d9BRd8#PW+4j`qj&$*1iRW~EDAPZ(z%})xrKVlkC|k; z!pg6dOtl@E)6OA90!Q6NGc9K!4$#43PY?;|)DR0Be^cyg128Dq#7Q&b?B8Hg=xhil z2`USyOS-j+GYMTniW+={1)df`K0|x`evtTsQGy;sYjlui$n_e@SVW5etQ$+XK`!E@ z$N~^*N*D|JYV6JO4oXY*;PuKkEDwkF8=xfqE~NhhQD(?F4lA*$VkFr=9BDyJVlHnm zgJNQYxnW~c_?GfHbad|c1aBDE=i-AbFp&SZ`XSvyv#wHq$q6|{sWRQvXH@D{)u)Gm zLe;Ks%N3uK6R_0)j&#}nfjo9s4%p&)G9`!7zxowGgDb(7GI>}FCKPFc6Cf{P^AqaS z0rM}E!d@o(RcaD(eUcWFip5;p_vEAtP7zqs5~(~EmQ=g!To_;0jYcyk@vH=y5>tx2 z4(aA!S@It}%d)ahT95D_JKHBC!auaZKspOBkt>u~n*j*w%(~Qp3RYIEoU>*D;^ zEnX7sgnEiilr=&V`}1S(B-!vfySG9)EB_&aMOd35$du|T{tJN7J9vPr_!QLV-efWA z4r~l!QhZ5#F_fJ`+^tkDYwl16>M4&~5F%&t*}(owc8VNP&=cxO7X^xv@I1a;-mMw& zpW=!Qq&jLXbPHHHDw60d3XlXkxHUOtqldK}!v88EK^yG<5z11Y&da@v2e_LaPT~^> z^9)QV6&$i4B$_Ql2ZLt+0s#Mu&pKSjyDHw;0KGU9p1mG?3hd(LM6#GK+CH@Zp&Fcl_R3K@A~T5^VUk>fZ^{ z7Kwua96u~eEqfQ`_56TD!$E!2}b~3w94hO`=%gI)#FKF{k!tA1g z+zX2{sB2MqTGmh|`rB5NRfVzqk;E)ElZdch!X`+4h!KS$j;J|zBb-vk3kHgNsGXK9r{?tT9a#b0FPs2v7hiCfEe{MGc$ zx~<#~#kyaP^}IAr)-_9`;(Nhk`!dmSt(P!x!}laLdw*v0@v8QomXt2zt8aKoT0Vsg z3|j*$)9bIPQg``$;!0ffijUZsMrcVRCt*jc(ahQZ_4Hz0h_g9(TiMlERx+QR>-qLT z-O~Y6H+X^B(7}iunfNy$zT;@_GBlQ~HF_5m@fmQ6e6mvhQVV-UT`n!w2c(MKz{C{| z1)q7&5G(6#-4FBTZGMvAc8`|}V9tG0?`aIpNskdFD;5`@Z9ODC$f~|rZFKD5kDt$O ziNhj%MYkC6>)g2cl6K)9S?-l~0irW3KY)W?W+`U#%M$zqZTJEBd9I9>XU z#jqh*0Tx0aN29Ud0Bt^KD-`0}42&iveq`(rnqsW0wo3Yv-!l-(r*nB zFAe2FGYY#rv9-e_6gb+)LTzePLayOhmDa*$UiI>(ee_`b--6psydiw%+z$!BGE)fm zInmw|B!l5rzJUwi;hIX%+nOE$@rdtN$wb^?7aTrTrAkJgmw|TR^W^rX%5D0y&=Xx% zXToi%%pMkLQbt&SB?bzoN(Ia$d`7kT#MnOu{+YQ$PoY<()mRPoyrIlDGV40NBS;I9 z-nPGQ!q&D#$-Lg8+!=m85qWJUTE@}44n28AP2!$QH^HtQB}bs7{-^*>ikPHf>Eg`r zsh7&_c*Cyz<66ciwP(p25SKxWgkAQqtro$I2&3f%Dqrlf+pIm{5Z$VtY7c)r@Q)-w zh@e{*u(qtIRmr3}9AaB&B1i6AQl&L(wecU!)Yt#Ivdm72YX;FO<_oTxtB6e3Mn&&5 zr_i=PNlas3ZoI%ync@NT3867P96)I5;97d{xeE!go32X;{~)&cvq=9*Bh6RdBC zEfn{X@FAuvd$m=-CcEQZSO1@ymA6gMjW`+G>u(bVMKR50k=O}rP>g7rEX)+Y{FXck zewriBuWl^ASr|&c{=&ceu+T>?daA-H9;l0LBiYcV3N~~$={SgfOG@psJPBwKFSk!& zI*8FQg&HRi2B1_W4Kd`9D9EH%@hEH@tCt>y#AS$C)rr;-D(H*xUUXANgsPOay4MIB zamo=>1$F4Bj-$_Y=H1IkYn>R>@YZ?xBqXbB)ULw^TdpLy_YT*^l zoVztGZAPr@ArjR%&9p`{k}$uQ6ajYoJm4yIF>hS~b<@@V*t-+Qb;fvQ1+jcR1w*o+0mnwbM$L@pLH6q|@$~Xb zkYn%_px!bQnK_h_mcp`Ue1mcYN7o306Lqg>unGGyN-e8F1mZ`qn|%MGTKmdr?7 z*hA$-myY~_c9#0MBrSaJr!daDU!zLEvB~n&SKAoNEy1L0kUB<0cqRO~?z(Gh9K4wX zz^m+u#R0+tfBOePXE4vIaKaGfa_CK`Z)G5~SGl&VDm2p@_ICg7-?Dq=RcXtHzjKKV zVzB!N5ypygmB`sEDTRA_7;p*!S&JNpzCoRH zC&d}UB-dY!%;NoZ;s+LQuw7pMcA~%yAY*WKzHh$TXukC?Zyv$LJuy0Xy!9JgX<}FB zvxIEbTnjo|iqcAiNK1R6Cz&jq%u&I%2U>G@ERg@6D$}A;a89mpKq#X~>6nKNIftAW z7nclQ8E`;N(q@o%O)Rqn!O}d8uBBv+*$#+rk0%xWwO{Ku1BmkYPLahkyjQ=OOgqmH7&|9_r zT2uc+)qdvL5}L1a!0xA6IJM4P|L$1O>R=Qjnv+$=PowMcP_L|Ya$bFQi<-q6+la92 z<tn7EtOAI-bmmB$ zggUm+A`#B^(#4&vqL8>I8RL)P?q&U%s&f85zsTQ_ao`YEB1=S)K$ySb05G8Ay)JyS z*9(6thr`T@Smq9E;DW=lhz5;nEX8>Pk==h22Dz=qa!cLrBw|<{javy7n1Lvza!BI{ zniXe+dgO-<@KQA>S(dDrR4sFc4nv7Dqio9S>dMJ{zs_1`L#RPo`Y{D6QkD>WLBv9! zYJ}J?7Oeb|(HwTk41jxj$TeUk#rT&ZdAns)0MawWF8yytbsK|AS}}?Q+=} z_5uUZPZQ}^tcIP$Ss#^95f1Rd>NVX@n=WIA}U*};q+2u=g*W)Pi65@$A# zAt$M69>t5pY__W4QF4xF1|cpe?usJDt_KsR0kXOW64N3BtHCXnNSwZd2E~dh5T=q8 zmQkBH>4zPv0!0vm z@wk$b+<-t?op%egkqv;6ANnMzLHS5HrCsqHpl}T4oc>2P5*a~d$I2*d3Y^z?nU%hs z1?uYiY`{aVpW**(f^VZJtVrw=_SgABSkT$wa59o970kI??wK>uYuR$F12@JsgwDP=KF8E^=sW8MuM5Bc?9qgZhKC zxS$PHUQTOUbNHosOpCjPj`a+}OAal6Vyp#yFQ$t^JS(0edC<|ntp>>PDGXQ&!#-9`G{_zc#OYoX2o#|(OVDqI#|F+)y-DwS{|7KjiQ~9t3xaG$Y zxPc8`|Fit2p}xSHou<;oD%MR*dAidcOVfs;Au4&ozO2$L@W&4Lox9xi_1gd6BXja` zH%fC80|qzTG{Jk703Ha4kA3o-xf;MY5{5U~%hqdRwI@Ji%$mkrpJsAeAZ zeS7P*G{JlYYL*&5D^^eWd_QP!4f|ybk&{RABj7R1O!iE?Z{IIAV>G)@&o#RrLe}GF z4n@@ai7GRRUuoiKvikaZ3|EN08&Fuc{Pu6Y3t2)who^M7V6q-P)1+$7bXhzrzkYux zUsg*&x?e%IVImB`_1Td;0|4bl?#JQmGuC}(^;;3|KDpGtDB`WpKbBY{uSPSke=4I* zs{|ES&keg6MR6k)r9yW_umOG1=8I2bVpM*v8zPBkadFcow5Y5wVm`GaYbTeDQfhEr z)5+;%+MTN+l-bWMBS;@}_m2LK6ySV>+pl#)!;|`>0X~Y^3Z>a5{J?mzQhvH}PP8@w z!^8Q4RE~rz3xc^*{;LDoRncEcZJBmqtVoglHSd%>zo%sO%3BY=fW0}~hk3@L0ncmr zpO^1>OPPHfYoo3&;zvDOu-GbyjA)y)UUuCV+Bs2iSOVDr2m=C@Hd{%!FSQCj(@rE3wl*Z^XnF+^I|zg;<+& zA?68KK`s8>_RwW-*l@EVbTe8P$AA2Q7-dPe?=TT3gb&XNb-@$rA+M0a5bYps{2m*d zK{TvT*8(oSa1s*d-VM{a+EQymyw1=sZOMPdGY>bgZx-z^&r|| z2-t#tG)4zltU!t@g&#_x2nfNS^ulVPatNm2#G6JTcx2lmZawdSSCyMDnWOzuoEKQw z@Kx&W;R$>?ZF}?U;qamHQiDM$s_eITOO8^<4+h*TT|tG3SH=?fra=AK#vyn#&{s}v z+SUA*geb8$V|lBmse5i6hKVIb*M6y*akcUy|D}0IKM9j>eFeE*ef=N`} zk^lx}Bx4Ag=HAG-;6mk4-?puQkAWD^5#4A|GKju_ibbW1a|%D*z4BJ6(R;FzazEPl z$(TP~6x^Z$eBJdbrxzbq?@!nfagG!iilWO5BgXB_Pt%jfLV3A-hBor&>$w~zGMyrE zHLhT%Eq43iO8kAK918*!GuW$P1Ong*CSIYuSZ(p(n^?qg1}Nw+d=)58ggim zHjsTQ=h2S}f91|k7}+sDj>`324~N3~#?Z5gLFv<40#cJEsgzfG$^zXG3M230MTYvc zNh<9`9%%54dy*Wfs{npVs^r8^R|B{lhT8G5^4zIVa>gO)Ng6mks#P)kt;!NpP1 z%h6FT<1x`ZWVqR(STb|Kj4k4vvB0!xluG2J6hyfCEUi*SKeWi;D|U0z9f7#&qPe_$ zwuaWcruNKI)F5CuCMNklF@&7^ccW<(hd-5!Rs%hom4LA_n^8gM=smj{=te%Nhf!^5 zDcd|=MpC_x=Oy@t`i~gz^BA7cN;p?7_9>W$+MmiV8YZlybOeipDlu_t9&Q7vbYaRG5)X^6{8B-umu5jq1p$eH! zG?oZ1s-iz78X2q6P^0wKt<8TkZeF6WC4W&Ih+w0mjSxqE=GuOF z;+#Q+8U0$o8I@!2jfMY=GE$<`uD+XTFNj;v-Zdv0SQ!9*!LQL3NAO7JtnjoF_Q3=7N z1Xf&=E9_55snQ`@C2W}N186+b6q2Nquq+Us1jMDYga1Ls{MoR5apBRyImm_;+Jt@e z%XZQn#RUaRIAa(O-iB2#%=9jp+O4jk3z@zt9P*fMXOv=sk$a+)G5#4knp{+34fCkp zh)|tp0uIdqw+?OSk91-h2$>P_;JmLh!~Uq<=v;&jePsc-6Gj_O6ac!%up}4))1W!? z*P?bXE!yf#c_$UKwPx-HDCO4wK~~gTM?{(}kCFI_v;`Xkd-lxYj-Nu8N3)|Sk(arB zVv|t#H3~v}bF+g(0iOa%S7kJCR!fDz^FA%)V9HyV5;K+Ox(dE6#n24k8HlH&yF z(YJP$OG(#xk=}FL<3#(x8$CuiW7OzLvDjE@+a{GrjI}{8OxBTw4x}%TT$YQgK8e7m zFElW>B(|MIkrs~PeubQh$T5exasz}J2^ju`N(t5XS0%imIL&mB8kZmco>YEu{|IwB zR8jZ{q;+aQ1DF{Pq;{r=Et!l!^ViMnax3hVE@E?jV`+&<)7A;sK{?I1@S%TV7&n2U z^0if9t0=g@IHQ*+pQVE)mt4t{%nm-~lG)D0L_Hwr{Tmh}E2kKiGN5vlP~0#>=|*&G zlZ{waP-Fdmj(Ukr-Qv%~&^7LmKMolb4;*Pr1IwO&0mS^QhroU{{LQ8MK3M*H;7zdBMe+by2Bs-w%CCV0yBA_v;Ii>O!at*DUOoV&Xblac9OHYBzj zoJta=0mm6In>F_J<1XbW1HbSy3oe36u;y>TnaBqJ&SYXPxKhv(It(+Bi#cC6uEC0? z7IRHdyJ)s5U2Z6CP-dACTPDi;gi8qR0(jU$NVjSOBgV$Hva*9@HQr{RYepbt zRO@%y%@qnYI#vWtdnj;^%mYofBaPg)a^m6>E(*un|1K2qAp)Ho{8g>(Re9~A{%@0OAdS)-p;;! zhUS`ycPwPXg0@?u;Q-M$vEi2vkEYuMv*Wd0}dr$%=(AR=iLS7fv+B|Bmx=&}9*GB8_H0JWBUP0cHKttwpYoF|4r^ zudA^;MJ{Rp|Cz@gPm`i|E1yWc294ru+;Mo2#{@D z>kwJFdAli;D1i~&R5aaY>$2B<`zUeZs&*SbWLU?#s%W}%+dQp6Tiwd{=-uBp6pqHGCT z;lI=0wpx(gF}ym*9xS$&A3!l2S2~!^;o0>So6~pCDC*W}14ScOwKYA8T!VTufr>$F|T}8x|%&`szH~dqF6Mj4(0+WvSl`wRq!=lEKw&Y_yaXY5EiJ`#MCdqV1Mif28qYhqZR@U9fMT z#c@Nf49BADp;bA8e;BCL+tw+wO#X;SfEZpeknN&X??RD`#l%2Mx1KBdndN}ndugQ) zSJL_5kide(FrIqPp==`t&^I*E(5hLb)_OZ9)iuA6^$z$?9xz;~TFmN9Xo-%K%NpxD zciTZWq#1M6VNo0ijbQZ3h_?p6T=} zrsaG#Nh8~aG-%-yjIK?OhQ|I+^gujcta!_-v0EZ$3Na~HyoKK*(3;u7q1kzJUTf~s z9m3C8*N%SI)~peh^(~EdraIK8Jy0yZA|Kq-qL~i4mT==D|IQKJqo_1OzO{|QtseU0 zrPSI~lV87{;%|BYfrR#ITSg&di0=lOv;0%|O{yJkY8In2LC0_H=@#G0UaES1D3(RrA1EtY1dva9)!OHV>3a8!;|fHk1gF z9c_Gd+H=$dMidzyJX#4tJa@Xbk7O5Kk$}=qcm^3p?`z#IgZ^!VHZU}v z^74}ig5S&;yhQ9!M)HX$j_Ba-)V2=-X<4{Ryy&LrKaS`JvX4mCU4;Xo4J$S>9uu9&@;pqx9 z{d$b8*Wwu7ZPUA|R1u5GWosG0^1OVFm435kltKirz%3iAF>Y+Vuh}ifxW-F3HV(YF zHLf0=X`2!RYSx4_?jMw+ulzVs?^!%AF3elIgdP=Jz@Ib$D_R#QD=@DQ(%{ z#V&oRC=Q7>T4X$-fUB}2H1R-Qx@>U)1JLnBau=RoaJvOTuX_Hmb)w+ijOg$TW!%(F z!kJ$DYc#Iv(55mXE1T|o^}&_f42Q&a)mVLn?gQNg=zHku@?qhW)U5ogHr&iL+%u*l z7~$~U0M$Xie?hLxy3faMtCF}CU%2^FnE50S8TRX{rgz5RiYVZ)?Cs}e3R{UtuXf>& zDROXXJF=0s9;5H+2j9`BzZVyJauOFujUwx3wrUk!k{uN*Xg8&=?_m_V9< z5JLVE03M~=tgy^7-bnGBA|$n0i575(9#UpU8eZHbShBa%+CJ5)x+$M1M)lwR_(YEk z`{<$#ENsZ+3+#5g7}NLCd|kk9H)B1eZmFlWL>Q*;yHiBQhG7^MfHr_CWr=mDW_gC4 zcj3gci{R%nmXj2*(s@yTBo6x4c^p+NBsoqo0$x3Tv!$#GTd5vhhe6O28zKX$ScxbH zLsFKOiGQNQaoNxN4m-|j2(K@7WIr{sbv!*vC}&AQQvLnji_awT5f9=ziRMJTbR`Ty zi8}2`E``;qFwkSRZi({+-S5cge)4JGRbwj^y$MbCxk3QQEWS(yC3cxyBC0yCv_XDV z1H{y?ADxv9`HZ4mfuUQ#mtJ{4TH15#W|Qs=f-2^^2E25x!T2?fv4cr6NX~ONWWu>y(wO zo~h06wWu5IOcQ7LGTyA?72wb_uSBg-0F@tJpp`@1YNYL+J$u@Gs#~{^n&QVV&tmwUq#W49CK7hIah`|bP5^Nz{SK)Gi6 z{`0X&=~diHE%99*F9@o0NAtLZ&K1ezSmgH|<8Eq*TPIm)*1Zn)KQ8TJT$Y#THSKQt zOxAKVQay#v*ShG_s1Xs1Tl0Bm-}N20U0(^?j}d$pGhG|5kzSz}^L$BsHE1W*88Eb% zqaZeqE2L)0f2i+dblmV|q=ed10eDlg8nRV=HLG>B$?WGab6nnta_W}MC$f&Txeku? z=MQht;F1cW6XClQz!SE9oDKG`jQ#eTED+PcKZ~?V$js`E zKjmqpQaFSQVYJ@)rr%lA={V|7r|r7DzL}kg3M{CO^fuyfA=NKW3rl2wVWWY9A&EJ4l$(rGa_@&qkdz@~<=|Ez_@i6&_^p&S@j%Of$^^k4Fn*2Rp~ zasSY#!e=q={MA}Gh9QW*6Wze4(tMXxy0VYwIJt_+KY+3ZQToW-2W*}e9S@KFW!7vD zGt)?abGCju<8LuDwm`jGwtupj-lUH&81e~_lqMAP#1OyzwxjCz2jEoezPySLF!erhR6l}%*XL|6Sg|Rknp@u3A$Y zOT)!CB&Os@fE^pxx}ZGy8ie0>Qip|${HH`hl)#plOs+Va{#Qn)5PFi85O-LAM*TFL zY%gkKv2Hu66i{TGFou7J^1~!L;YvoE3+7_H?`2+A3*h%lCA>$vE`{^tQjo4yk-+5 z(R?Q_ALShV7dk2Va6mO%Htf&gYBm&t=I1)EZ(aIdxB0j}VAOYNmb2%GPdSxpKde1- z26r0v2>>J{i;!aNFDZ9q`oJQpajJ&Q;<^jMDW12uEVKau$N=}2RmjOL!4w0{2?NLe zFMUqczMUPIb|z%rklsF5H)i#Lk7vEP6RRV)^3CA@Y~Bm6tM;{(G6JZF_3OtsaO^*4 z2ytZ!K-;!ERP)vVF2N-sp;tt6UHQ|+{LI*42Qbwpa7My^N;s zSnSVnNkD^-``UGZ^OkX`XbCOpzv`^-9qIqzgEYy(UryECYk)nP`8iN0P|WnlHMiuQ zO9=1Irl*zn(#=OQB5(hR2W6eS{aUJ%DOcNa-Tk@zO1R#3ICKcfkE#S*mkYqEv}w0n zXHmb{A?Vph>F|ZNxxDa%LOV$Gw}cyY?rQcwydr+ERC0~M_Tb&@TNJLXH53x-wrWbg z0dSDm$u1;pp+P|Ugh4>aL6TYe@RO^0;eZ3Z4F~)QRDa|I00qWwEBfNijfxIG+RQPf zhI43AAN3~huB)2X}x zH*S0d^z`Ns&34K7u|w?mtPfSrxtf9Q*QCSA7Z_vXCo}i+P_?{fO(Q^WDl*u(i}D)yFO>G z%Q*x6FU=$M{Ns-Y^!&%DrsutnP|@S`=251DOimqj@1yww^!Xsy%pj3kU~rT^P@Ggf zdeY+fDf?Jo!)cArKhHBSefzS0>`*%c@9vMs<&w&WPt5*G=|@qq3MOh__pK#8AuQ$=Z_OnL4Xv?Z<^)S)#eA04lOFKEItYHl$i^rYm_{&qk? zdOo=$ZklRrfHybgqclSYLk5GQZMr03jwvFXQwG=Z?qnmFwpY9gSUUN|-cFyp7bWSb zL{)c~wFeHvdbB$^qgR**0&R=#0NWt)zPj)yEn_>MY`&^T0#2a`ra4$O-dTv=UAU}W zMmr?xJuS$t25YViwO>*oy-W0>C3J;=ozQ4UJ;p=n zmp@Q0Xs1S$h37?nxL06LooO2pk3$LwA?=g;D%dHCv6`3J$KER{9Sf--kK^>J+IiJU z?2v0>cM5NxlH>EmdiInn=6te^l+b@{ZehkfV3y=UR7ub0F;1D>8S%%j9}{l)>g6rf zXoDA7>gKlal7GWPxxaN_=d0!9@MVtFAfe_RLCQp@qw&`A$YQw;L77fx@Hs?0k$HGk z+q~tlA_evE83S=8Ce|^8d_CQwGbwWP`uApHLvM77@X0)kVqBXWN!1n~wL$77Y-}s( z8lCa5!{}S1hHe*eRTXX;#G)raR(MZBOS!2}pYqWLmSW#t4a&t2)kmo5uK15ubz72T`w7tEPimcu+^ogc1%QK1gc2S(+JMH}^-w zZ`vFC4SJpyX}ju!A=?NL(NVEZCxLEB#)K;a5ncKv!6k~?s%e@-C+B<7OKivJAFY%}`#6sf z!{x0r1a!NJR~7sOryTnsvk?#Ek+T)5DlO05liG_h(~<0&q|6R>oBbjbeidV~LemA9 zEQm8BFu;lvW5YNe96XgZfe2{K4kIr;F`vuYh(^vPK9|7X^=*8(S=vNgm@GGSvYQtP zKPHqyr_GW_!Gb-j^T+(h89aNf(R8TSOqct3cg*`TIiqQ3pJAmU{Wy#3i@e@^ndea?IDiWC`+m=bPjS0cP=@sHP2l zLXt&G$$FM;{78*%Sk>&bjz8BzoVsA;+~@wuYQ|5kosH=$JAqTfEa)%AJ{)3g4o8SW zfJHGkXs#6oN9!b+)%TAJgKPDIfK@0AP&75>R$(C&1m&qQ*>rm-Go*k31M8_Wpu13w zX-w1P19@~cW?o)Dl*h|Ym;1}^Z|r$*x6aAH%=8e#KeEc@+WY z*Fw@-+0V}PSBnStFPO@A7Os0%-OVS;yiQH3Olt!<2%QY)p>fX*7yaJkWZsNFXgZmn zmBd1w6{RetL>&S#mgtzNo0J-q2gQO!kIP2Ihu z7b#vmnFIUTPM!4Jn9<`{>{EFfcH`pXo^(ki%t?=x+Y(*IUYp?xoFa^aL^I@oR^`&F z&dS1tE$gKp?9dsm63e+;OVmK*aVZ6fr%ry4lX}uh{YDa13ffa zj;2|a3v{MKu_Bb*;QL;KzgB3-K%z>oJk!%Ls<~w(cj)3lUWKOEaoZTnz7eV{K5%Ot z%rujtpXgA&F2&sWxOHu?Z&>PkPKkrCwhEEc^g=;rsL^(@@3Nl)pK?6%rB<2jK}5j0 z@NLc1MDw|+aYrs0t;oaJwE6!_;GT+F~=v>g6Np zdP*%{sKP5BJ+DG~!jM6pP%taStIsK8T$Lw3UG<%fhd_U(O!gA$l@(6*2JxX0BA+W_ zz|LGw=g=lutwy`rHVhKl?wadeVkei9eTv~?l;olpA1B@1jiflo{T_US*^TZCv|MHevcLdbGsV&}L?4Vjpcyt7glKDaCR{V4a^C+B;4N{N0W>`_o&) zr5nlNyB=h=`P-M3<|6W*ekr&?kZJVdJs-zjM;#zneFl-u2Z4YZJ~TLACoH|+KLY}h z*uByF10e{?)KH+O8V4Iy+l6Rwum%fzeR_{|slmaV?16?o3gqvy1XsYWF@&yx1GTc! z`${PYM07viFXRau3zEBio)C+^hEHo^EzUMqzkCOUdmhV0xlKboJqH@6Ba9CQF-9|+R z{$=k4XB$pHnSk1$52XWkgCUInC2(mJ17#JwdnYh%M8lAkyObGB^39&5z7fqSTm37_ EKU*oKT>t<8 From a0dd8df46c09b760ad13f8a81eb46b59d629b368 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 21:30:30 +0000 Subject: [PATCH 05/13] Auto-update Portal experience [arjenhuitema/6ca76b7b] --- .../policyDefinitions/policies.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 16daf399f6..694b06397d 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,19 +4,19 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1904119621032411499" + "version": "0.27.1.19265", + "templateHash": "3643494213906798578" } }, "parameters": { "topLevelManagementGroupPrefix": { "type": "string", "defaultValue": "alz", - "maxLength": 10, "metadata": { - "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"", - "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!" - } + "message": "The JSON version of this file is programatically generated from Bicep. PLEASE DO NOT UPDATE MANUALLY!!", + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of an Azure landing zone. DEFAULT VALUE = \"alz\"" + }, + "maxLength": 10 }, "location": { "type": "string", From ace3d66bb6a2e8e0c90c566aebd670ab1e81adfc Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 6 Jun 2024 09:09:08 +0200 Subject: [PATCH 06/13] Update src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json Co-authored-by: Sacha Narinx --- .../policyDefinitions/DenyAction-DeleteResources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json index d8fedc8fad..c574af67ed 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json @@ -6,7 +6,7 @@ "properties": { "policyType": "Custom", "mode": "All", - "displayName": "Do not allow deletion of resource types", + "displayName": "Do not allow deletion of specified resource and resource type", "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.", "metadata": { "version": "1.0.0", From 311562320255885dc758632334ba4530ecd0bb9e Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 07:09:32 +0000 Subject: [PATCH 07/13] Auto-update Portal experience [arjenhuitema/6ca76b7b] --- .../managementGroupTemplates/policyDefinitions/policies.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 694b06397d..293c3ccfe1 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.27.1.19265", - "templateHash": "3643494213906798578" + "templateHash": "1486114726608203419" } }, "parameters": { @@ -125,7 +125,7 @@ "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of resource types\",\n \"description\": \"This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", From 590f00a965f5fc95ebc2c2aefd965ecfe56a840a Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 6 Jun 2024 09:09:47 +0200 Subject: [PATCH 08/13] Update src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json Co-authored-by: Sacha Narinx --- .../policyDefinitions/DenyAction-DeleteResources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json index c574af67ed..caf12e580c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources.json @@ -7,7 +7,7 @@ "policyType": "Custom", "mode": "All", "displayName": "Do not allow deletion of specified resource and resource type", - "description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.", + "description": "This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.", "metadata": { "version": "1.0.0", "category": "General", From 2cd1a2084eab64b3f22f789bb7d8c0b8fd320efa Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 6 Jun 2024 09:10:09 +0200 Subject: [PATCH 09/13] Update docs/wiki/Whats-new.md Co-authored-by: Sacha Narinx --- docs/wiki/Whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 5191c17b13..25e7ae91ea 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -47,7 +47,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### June 2024 -#### Tooling +#### Policy - Added new custom Policy that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management it blocks delete calls using deny action effect. From 2c604cdde814dd2462e10654027c1ea5bea833dd Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 6 Jun 2024 09:10:25 +0200 Subject: [PATCH 10/13] Update docs/wiki/ALZ-Policies.md Co-authored-by: Sacha Narinx --- docs/wiki/ALZ-Policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index e76417bc23..e72ad4ba06 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -122,7 +122,7 @@ This management group contains all the platform child management groups, like ma | **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | -| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of resource types** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction | +| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. From 1c95b6e274ca29b2491b546897ebe8fe5e746177 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 6 Jun 2024 09:10:40 +0200 Subject: [PATCH 11/13] Update docs/wiki/Whats-new.md Co-authored-by: Sacha Narinx --- docs/wiki/Whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 25e7ae91ea..b09c0f8c1a 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -49,7 +49,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: #### Policy -- Added new custom Policy that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management it blocks delete calls using deny action effect. +- Added new custom policy [Do not allow deletion of specified resource and resource type](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect. ### 🆕 AMA Updates From 9d678d48fdefaecbf74a18a119c4e5256f41fac8 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 07:11:04 +0000 Subject: [PATCH 12/13] Auto-update Portal experience [arjenhuitema/6ca76b7b] --- .../managementGroupTemplates/policyDefinitions/policies.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 293c3ccfe1..03a505eed2 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.27.1.19265", - "templateHash": "1486114726608203419" + "templateHash": "11067820150465502281" } }, "parameters": { @@ -125,7 +125,7 @@ "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for Paas services\",\n \"description\": \"The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", From 9d50702892fd71d3f5376655424df1b9f3137be0 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Thu, 6 Jun 2024 09:17:31 +0200 Subject: [PATCH 13/13] Update Display Name in spreadsheet --- .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 49888 -> 49917 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx index d5956b164011bcb498e3918ae8522e446350fc9d..ef277d5bea41a5236c971165936a8ba25363e0f7 100644 GIT binary patch delta 4445 zcmY*cc{tQv*q#~2zB9XlaB``V$|m3_6wm%iO6HazN@mj2~ye-og&U!v|`j< zV&c|4ygI`kq0|)uw@vaKA0@e)q)fbuV)$btjeDx@g)R?xknqrlFFnx=7FdxRyEQrHbzV7rPo>I=P^t-8&D5OxG>fcSoc z*@a&ZI=!LAi;EX$&Q_4baUIVq3QR68zA0uWm^~+El%8@Y5vd|eGwaV+~;<0Kb>Qq)^^wUCeX7Hw6 zf3|AeveAgNj9v(-yCR~acHp`8GQ7VtK$jQacp2WgqjGKG7M@71vS3lyPRiyj->~97 z3w3!p=InO4j%<*vSMczRLrtB9Z=$tacZAwQ4)7$brE9Jd1ii>>cwdzz2tI#W+bb+h z7N+hbpv_TWee+Jw*XB@}AMu`%rk-`Q<)J)llDBuB;Hlh?5w<9?hm9kC6*auK_I}Er zO`F=4i`pq9mUfn~jOow(7^#1wbg{z8( z$O7A8NI|Bri0bTfCZ(`%@v|M}23+g}cJnS_D1CTHMhx>{FIw7BB-KBCx|s6Ev{lKY zyzXSck=bPA)ckEk7Jaqo8;z6juE#EH#WkW;eMj?hJViN2sF1|Zn!#pt!HWKTTa6?Y z07Ukm4n@C9xD6|xhcEZ`S!~sv4GYKM>%jh)(6G|nyg8~18f3kM3&~1ippS2$p1z%~c4`{nK zUX7PSCUJ{)C&V_gRQ}G^(0|A5`B|}?tjszu&Y||7*6SLR6|og*xFWV(ZKZ8vjUwQY z(y>H9s##f9NAcQp+?8?rnW@>uPiZ(Of^J1j{u^1_ll}PX zR$+UBH$1(3ycWCutdvZRC-_T^PR(9+_1RcHbV}^#-i$98J?s}h!>F~Lnnw9ROg`v0avOrz4)nX^oGnUH)0&GXuSpLNE5p zV$xq;y%V(Vy7UH(Kt9>pq}VV%WTM>5gZ9DTx?6|sDD)}6lXVSUbYrA0Pts>&Z-X#` zsgCfD6(ZpBVb?7V-!lQDD=FxQCSBy7Lz4lbYV_N|l`42+qB*+`tn+cW>pT?E^jRQ% z!+aRZ+QOJbu->m7vz6$Boi+Ei-K^^;Xfme$jMciC7Qbx{pkuWXQ7<(X7Fjicq46q~ zA?uPpqejso+K&Nuy;v-CGeVlFn};=>2ZuVDzub`HLO)r&G!?k~KJ`z%a+f)-$vxFYJsa)wG%W`8Kq7c_Yu$dV-sTY>QkjXiVU~e+$|qS)=5li z5NChfIyO|z1*D%I7mV6Y@(JU_l&t922(zRrqF)vfmXr2Z*Lgq5m%w7r1o-ia_l7(+ z-~I?#d|FrO^jdFz?6a%TlFz`ku$R#BAQvN9a}wU5raQPg@`h1UHU$;sz5uS}3Oi>^ zH8aE?_plwhQTdCzKq%Of3%U@;pc%xaX&sZ}b!ncd8wgf3PIznr7xp22tqh~1kMd4p z5T4-YqeF!!BcNr^|7EesJg6EQBv-fvj=|5pL6nc~0fSn9WlH+bv4HMiMd?nJRlN_M!S=sblPqnVu|Xh2;zg|@64Nt&$IbLG zqA)WIP--A1XzH>$ACb!{;wMrlx9cnp?buHnqg#Qs6&zCN%!Q(KqoMX#{e5ar26P zSs_O#6v2}BczYx|ZHh}lc+I9+Y)z*`byblew?Q7d%@lz=X3s>smZG5K?JNGLvjeXyca+g*LxXu*EQyLO9xW%sSULUszyf zEeA-XNE9okvq8d9{Ie*O+{_{wYWDgT2b}ko+T3+I2wqv2lFziN?Hbm0jbJ2e#Dd1F z;sZ(hOf650x44S3gmW7Tg{Q=pp0|I8Pcr|YJK6XFdDr{~4e?YFYeeYe$BzrA;wgJw zW?qo?i5X9XNqOH*&V5+YVt6FdjaNJx0U{&|TB~XtS@0$3?h-1|OhvjUr{j3RWD#gf!9YC~VT`y}oubnulk-O;t61 zbU7=)ax730YWbK=D4nrHF=EeX~YooAQ$(KMCe5*r(AdKchm&sR8&&k6mgpA>pK7v zuJX@_gh~ zUsTFb!GDf;`7Q{arFmhrn&B-JI-e2l@x> zjdyxWhd(EdQZ51>_G`<6nUIpK8@d(zU^+jiEHb2NDDogXQ7VEX6v6O!`K6a|09H>h3-eK*&G+{vs`DUA&FNKr#pA?4nrBvefO2Hj% z72e=qfc~!6vQf=m>q8B`DuIzbz@EK5JX7crI8Kq#WQG^J6)$N?hSa)6v zl$U~elFZGJJKV#$?%Osp!f8_Ch#MVoW!Okf;B}wcN28um@#yEs`o`R12Hd;Aot)&V z^T)5LXccydgLsM3PZ`QMGiRNh*PQ3)B-xtd{s(_(jBBDkPVfeug3JwXs?sHn{POqy zBpH<*nIAJ>O3l$V3K56O$=&evdqEazy*z`6U#KbZKa*1tgs^;E+j!Z8{V4Z7x?(I& z4q)f@X_XD%iuSmbpfp!k&pP!lXI3q09@x(V z^Uv0H9ZoDAq}OTFvBPu2A-;<1ubc*X06TvRtuB{!5@1t%Wh+aW1Xnb`L zL#kWBjIWYb-LCVz-b)^Ilv0$-Z8@k9dvnyA^C`cjMoy)jtlF8-z?fG@O1W1 zl#`MPa-G$$3jHQ`CWaMSc`g;J88mau8Y+Z+Y;`1het-{thlfXRT@qHlG*AD1mG#mF z8&HPQb22*pTEVfd8Py$5%;{#m&82VJj;VM7%a4uh%oOdxlr5r749nrSd<;&HkHK;~ zRt!b(CL8F~N(Z(SFo1{@3Cw9h0TlGfk-!WUnL#mrc{gC-K{5|GSRjGXNRg)obBZJ| zIXUA{jBtrKl=LLleG+33dWYgs>4S8EaNSNoh|LKlLc>Ww zG#1isI~rL0;m~$OMf--=@m`t=F>Keu`)03E%6pWS-?^9Y_RYMIxOL&LG}^!=8govk zzz=x7gY-x3`dq^&&+a@Kl?Ux7`n8VX#Jw%o@%Rs%GcVyieGz2Zk)q;kr{20>YfpA! zkhfmZ7(!v9p4k>6xZ(|ILa?of0Y9ruKsUQQT#AHDl7 zXumhB*|mT0pG&U$FC2se4fPJ_v;3vzOYkN(ew!?gtKYe9=M11#Jf(Ncj&3xZR5m*- zRi)hb;@^H+!>Tc`QdxUG8~bAT=hQWUwXjyATu{&367PvlO_62KD?tN(0>US>55hUw zrqxwr3|bnKM)pg!h6zuEY84Du#H`NYAhMJN^u^L))W6J7Q~q!74+=KiC;dbXfq;$F z9H2=v1J{3FeF%j8;+g+%kkf(X5(sdlK?+tVaRE6%?nY5qxaMEhs!<9iYz9i3A;8=V z7XBCNKgt*n&ZsW=^oUNgkFR^%tHr$wSpa>1KWC z85q)h4|)iGZ#ISz--GAxML?YvhKsD_fRUwuel3Dv$psuw1(B@?aG*sB7MKPSThw6o z=@*PBXwkw!Qj-AzTMJmgv{nW%qlE*;RP=Z8k5(zD0!V`u=lnO33!xB*6bS^v`2YN~ v0gbS#Pz?}`Re>skLs%p<4P%YeB0vR576TzfqmY-U zDZR*+sPj5FE_F|KXTNJ`s#^P?uv<#XF;?lap;GwQ8*zhqhoVB`2PRrTJ%Kxi#x^HP z@6aTMYynQ!;KC|t^pWI=avtttV7A;o>D2wQ6a?$mbP-fz+?F5FHL?wx^DBx-S08W@ zu|{+F{E&zwdq%^vt#gl}d(u^p)fYxQE5Wp9qvDk_uOcEhCx^n;9X-K4cnTWZx z(W;jcztzBoV6rtk;)Bz)TqU~2$y@39n5KM{w#q@s!^E>k7dVw9+4uXSodkG8%jXvU zAPWW$>3g^IA~q7%Xs}_4AGt`WU9D#Xwg?*F%;x_3!>T@~D`p-+dpKr?(??ld z3Q=Sf@5ZLm!_y<#gmx_E==NNST+rc0XIQ_6ZAMRL?*0@P<_H2oslia5qXPVY(8u@T zS(<}sgBsfjo&;H}vu_*<(G$B&%yY6NMnk8Adh*9mi9!A|ZZJ zQXUNS7~AcSm8`z_J+JK(*#-Q3IGWYw|D&0TsDSh38Fdvh$?QsbjUH1*=xtl zXor`L=FL=7j=!qgS4ZKgPi5GGB>XeYI<}QERqgFXVe)X^qswjrY{T#J;)F83 zC3a|k`txHSlLw2?%t!03cLLOZzv~s>zcwk-5a+M0cuTdGKXUGS9+*s&#;#Shqf8d1 zoqvX^#=BowSYI3s;0eojt=#Jx#~ZBE9fH>tii~1%Lj6+G1_&QJdTSg(Db9Q z;KzzpMa!7*U8jN8D_bICKP3&nkAe0KEtTA`RGuVB-n?_XGkPcf#FRu|FJbGYawGU3 zMo%jmv5cW%Rh;iWH=cA%;<)l9%@X-JQ5?iz#8$%J;{`|BlRxnuuBhZ=D#L932xM4l zvQIX@Q^<+>zS65NKW1EBKg{nlEk?a+U(4BwZC~kUJ3tByua;p;o^$qKzrn~e^NgM~Y{5Dn z-Yyz+WhwKR{1v8_Anr>BS^ysqS4<&1x>WwtMHGWPIFeliC}hc}#nOP&=U@uuP+3!8PvG!(}dZaETfbt_Fz*|7;>hZL~PI{9@=VA^;O5l$M^Rc!TL z3I+8To#^$Srj?NQQyp?F2vh{T=-A-m^3}L>L{vlsfmUY2qnynqZTOvd|4H zdEX|{!4FLl-?dNBxLX3ol3boKsaz21LD2M{y&i~X1$Cwk(#6=xzsB%BdM1ZBc`++z zq++P$Z#Xt6)2L!tPtl^$**lt4pNI#$SXcea(ihKCiY>51-r<|r>%AmS6LvBF25_=7 z!9AF@L5+FzKS=o}ME4YQ9D-D9J|C+~rByZ7aD)^XH}OqAy-M$YC}+^y_g>6LjsQ7H zQNXKmA+J;DcA-dPy=y{ypV!KOWSo&YPa@T0fMgTPj)eNms5_&dm(2_}`@ws*i8D>x zU&>CwNVq=n+I)XjV8>efWOLkyjE7)c6pp(L|Kn@8xE5Ynm5{bySZLS%co4S}@6Oe+ z`TmopjoUR5n&5K)YfS1a_Ff+#c=xIPu#dT*p@# z9Nt=x>6u*G;5z&!l_1GQuj(Y(=?&a}-{GNwvf~~{)Q+}N^e~RPwDz16&c*n(YqY>l z24^fuOLub!XT)E1y4KDy^PgLrdcE|1l;G7vWmWkb?fA%@fo0EZIk(k!eib--qD`q9i2f5jNh>P09 zfl+##?=(nHQ|Wl9SwJAH8*0ryg8^Q7fLy5D1jnLp-!WM{^Ft(LQ*o|#TUs%sI$Krt z7SDb^ zyREy4(WE~nM?bXoG5ji(6(4&m!L$2UR~g@}Fxb~dWSYxiL8k?q*3%eh?<`!LEHJs? zZC}EQc1OusgL|o;1tuxXHgFTuG)ThGkJ!`knp~A zGzY;q+68z7*hWvT$`8~RzqQs--oPE6N!^$gF$tX|7;SA9|FY&BD|XTCGPRtOtMsv; z9}yssnR>vOuXavJE&opG6*)X(xqKLYerOCY<`C{!7M_D0E-wTPi-H-SrXCi=h{;I@ zafwo(k)Lx)H=D6?yYe%_0Vx!r5l+LyP@08$8?|KplUI(Ip?^IBL>s4;RH7kL!`t%6mXeH zSjl$lWdNbjJg?~vmGX7pn?)`QgPM^06Bhvk%QIM!EBnMj<&qbw8L~Od4GJytc%9-x z`|$z+^XUWES$Q;G6!3?>CoMm$N3wK!sNH&*$te|vmzS(%WV4Tx9-nqVrUM|Sj5%`K z{XaS@P?%D|2J8<85C zQY8v|94E~)FM7S(hw5Y+7xJgWs(x}dESWlb-SxddT~$hD9>WQTmz*%09SR?O6>A-- zh84y5Z0nA}^QT4L0i(HK-p6snOQ5Jl&@F?clgY2%MQ(PRJCSm`wsp$6>}~+a{L0M9w;a<~!b@ zR{)n81ByQ!!wAH6Py#%eiYThQyJP@iwkXQ0Y!Zx0$dQ8pf$fyQc&;Mqd1eV1cu*#a zlFBv%qtri%fbsd#`^8Yc6#`(mzURC+c`MZnT-?XsPEPj=%bSGI{FxW*gnZqxi+AJo zzt5#|N%&$h0t0UV@*WVo+Mk21gEs@s59aNln^AQRJ>M#&zwSq1!Kbo za-$s^)t@o+Px=_mV#RwY;FF^$J( zjOMwxx^o~!&z?C@bTwvBT~#FZq~#irsG&zas@ftW`JWCQP;E8<=K(3rqHO1 z{6JGX3*M_T5CAP>2Ch4Vz$}1ZrwHqREL#c&fuJ{E6u16YY#M-9rxKVSsOnS%vjTga jFmM