Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove duplicate assignment and portal option for Azure Policy Add-on… #1710

Merged
merged 3 commits into from
Jul 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions docs/wiki/ALZ-Policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ This is the parent management group for all the landing zone child management gr
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **13** |
| `Policy Definitions` | **15** |
| `Policy Definitions` | **14** |
</td></tr> </table>

The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
Expand All @@ -239,7 +239,6 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny |
| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny |
| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit |
| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists |
| **Configure SQL servers to have auditing enabled to Log Analytics workspace** | **Configure SQL servers to have auditing enabled to Log Analytics workspace** | `Policy Definition`, **Built-in** | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists |
| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists |
| **Deploy TDE on SQL servers** | **Deploy TDE on SQL servers** | `Policy Definition`, **Built-in** | This policy ensures that Transparent Data Encryption is enabled on SQL Servers | DeployIfNotExists |
Expand Down
4 changes: 4 additions & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ This article will be updated as and when changes are made to the above and anyth

Here's what's changed in Enterprise Scale/Azure Landing Zones:

### 🔃 Policy Refresh Q1 FY25

- Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.

### June 2024

#### Documentation
Expand Down
Binary file modified docs/wiki/media/ALZ Policy Assignments v2.xlsx
Binary file not shown.
47 changes: 1 addition & 46 deletions eslzArm/eslz-portal.json
Original file line number Diff line number Diff line change
Expand Up @@ -831,26 +831,6 @@
]
}
},
{
"name": "enableAscForDns",
"type": "Microsoft.Common.OptionsGroup",
"label": "Enable Microsoft Defender for Cloud for DNS",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.<br>Uses the custom initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html\">Deploy Microsoft Defender for Cloud configuration</a>.",
"visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "DeployIfNotExists"
},
{
"label": "No",
"value": "Disabled"
}
]
}
},
{
"name": "enableAscForContainers",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -3966,7 +3946,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Assign recommended policies to govern identity and domain controllers",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.",
"toolTip": "If 'Yes' is selected when also adding a subscription for identity, Azure Policy will be assigned at the scope to govern your identity resources.",
"constraints": {
"allowedValues": [
{
Expand Down Expand Up @@ -4374,30 +4354,6 @@
},
"visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
},
{
"name": "enableAksPolicy",
"type": "Microsoft.Common.OptionsGroup",
"label": "Enable Kubernetes (AKS) for Azure Policy",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected the Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters will be enabled.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html\">Deploy Azure Policy Add-on to Azure Kubernetes Service clusters</a>.",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "Yes"
},
{
"label": "Audit only",
"value": "Audit"
},
{
"label": "No",
"value": "No"
}
]
},
"visible": true
},
{
"name": "denyAksPrivileged",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -9073,7 +9029,6 @@
"enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]",
"enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]",
"enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]",
"enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]",
"denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]",
"denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]",
"denyHttpIngressForAks": "[steps('landingZones').lzSection.denyHttpIngressForAks]",
Expand Down
38 changes: 0 additions & 38 deletions eslzArm/eslzArm.json
Original file line number Diff line number Diff line change
Expand Up @@ -771,15 +771,6 @@
"description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring."
}
},
"enableAksPolicy": {
"type": "string",
"defaultValue": "No",
"allowedValues": [
"Yes",
"Audit",
"No"
]
},
"denyAksPrivileged": {
"type": "string",
"defaultValue": "No",
Expand Down Expand Up @@ -1610,7 +1601,6 @@
"azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]",
"azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]",
"azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]",
"azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]",
"aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]",
"aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]",
"tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]",
Expand Down Expand Up @@ -1735,7 +1725,6 @@
"azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]",
"azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]",
"azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]",
"azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]",
"aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]",
"aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]",
"aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]",
Expand Down Expand Up @@ -6236,33 +6225,6 @@
}
}
},
{
// Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true
"condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]",
"scope": "[variables('scopes').lzsManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
"policyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"enforcementMode": {
"value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]"
}
}
}
},
{
// Assigning Aks Priv Escalation policy to landing zones management group if condition is true
"condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]",
Expand Down

This file was deleted.

Loading