Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove duplicate assignment and portal option for Azure Policy Add-on… #1710

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Remove duplicate assignment and portal option for Azure Policy Add-on… #1710

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3b91e59
Remove duplicate assignment and portal option for Azure Policy Add-on…
Springstone Jul 19, 2024
b53fd2c
chore: Update tooltip for Azure Policy Add-on in eslz-portal.json
Springstone Jul 19, 2024
a9179b9
Update policy count in ALZ-Policies.md
Springstone Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/wiki/Whats-new.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ This article will be updated as and when changes are made to the above and anyth

Here's what's changed in Enterprise Scale/Azure Landing Zones:

### 🔃 Policy Refresh Q1 FY25

- Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.

### June 2024

#### Documentation
Expand Down
47 changes: 1 addition & 46 deletions eslzArm/eslz-portal.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -831,26 +831,6 @@
]
}
},
{
"name": "enableAscForDns",
"type": "Microsoft.Common.OptionsGroup",
"label": "Enable Microsoft Defender for Cloud for DNS",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.<br>Uses the custom initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html\">Deploy Microsoft Defender for Cloud configuration</a>.",
"visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "DeployIfNotExists"
},
{
"label": "No",
"value": "Disabled"
}
]
}
},
{
"name": "enableAscForContainers",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -3966,7 +3946,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Assign recommended policies to govern identity and domain controllers",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.",
"toolTip": "If 'Yes' is selected when also adding a subscription for identity, Azure Policy will be assigned at the scope to govern your identity resources.",
"constraints": {
"allowedValues": [
{
Expand Down Expand Up @@ -4374,30 +4354,6 @@
},
"visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
},
{
"name": "enableAksPolicy",
"type": "Microsoft.Common.OptionsGroup",
"label": "Enable Kubernetes (AKS) for Azure Policy",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected the Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters will be enabled.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html\">Deploy Azure Policy Add-on to Azure Kubernetes Service clusters</a>.",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "Yes"
},
{
"label": "Audit only",
"value": "Audit"
},
{
"label": "No",
"value": "No"
}
]
},
"visible": true
},
{
"name": "denyAksPrivileged",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -9073,7 +9029,6 @@
"enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]",
"enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]",
"enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]",
"enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]",
"denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]",
"denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]",
"denyHttpIngressForAks": "[steps('landingZones').lzSection.denyHttpIngressForAks]",
Expand Down
38 changes: 0 additions & 38 deletions eslzArm/eslzArm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -771,15 +771,6 @@
"description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring."
}
},
"enableAksPolicy": {
"type": "string",
"defaultValue": "No",
"allowedValues": [
"Yes",
"Audit",
"No"
]
},
"denyAksPrivileged": {
"type": "string",
"defaultValue": "No",
Expand Down Expand Up @@ -1610,7 +1601,6 @@
"azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]",
"azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]",
"azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]",
"azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]",
"aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]",
"aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]",
"tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]",
Expand Down Expand Up @@ -1735,7 +1725,6 @@
"azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]",
"azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]",
"azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]",
"azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]",
"aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]",
"aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]",
"aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]",
Expand Down Expand Up @@ -6236,33 +6225,6 @@
}
}
},
{
// Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true
"condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]",
"scope": "[variables('scopes').lzsManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
"policyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"enforcementMode": {
"value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]"
}
}
}
},
{
// Assigning Aks Priv Escalation policy to landing zones management group if condition is true
"condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]",
Expand Down
80 changes: 0 additions & 80 deletions eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json
View file
Open in desktop

This file was deleted.

Loading