Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private subnet policy and portal update #1728

Merged
merged 16 commits into from
Aug 27, 2024
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions docs/wiki/ALZ-Policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ This management group contains all the platform child management groups, like ma
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **10** |
| `Policy Definitions` | **0** |
| `Policy Definitions` | **2** |
</td></tr> </table>

| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
Expand All @@ -123,6 +123,7 @@ This management group contains all the platform child management groups, like ma
| **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled |
| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled |
| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction |
| **Subnets should be private** | **Subnets should be private** | `Policy Definition`, **Built-in** | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny |

> \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future.

Expand Down Expand Up @@ -224,7 +225,7 @@ This is the parent management group for all the landing zone child management gr
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **13** |
| `Policy Definitions` | **14** |
| `Policy Definitions` | **15** |
</td></tr> </table>

The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
Expand Down Expand Up @@ -257,6 +258,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
| **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled |
| **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled |
| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled |
| **Subnets should be private** | **Subnets should be private** | `Policy Definition`, **Built-in** | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny |

> \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future.

Expand Down
1 change: 1 addition & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
- Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html)
- Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region.
- Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.
- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is defaulted to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will default to the "Deny" effect as part of the next Policy Refresh.

### August 2024

Expand Down
Binary file modified docs/wiki/media/ALZ Policy Assignments v2.xlsx
Binary file not shown.
17 changes: 17 additions & 0 deletions eslzArm/eslz-portal.json
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,22 @@
]
}
},
{
"name": "enablePrivateSubnet",
"type": "Microsoft.Common.OptionsGroup",
"label": "<b>*New*</b> Enforce subnets should be private",
"defaultValue": "Audit only (recommended)",
"visible": true,
"toolTip": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
"constraints": {
"allowedValues": [
{
"label": "Audit only (recommended)",
"value": "Audit"
}
]
}
},
{
"name": "cuaSection",
"type": "Microsoft.Common.Section",
Expand Down Expand Up @@ -8940,6 +8956,7 @@
"singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]",
"denyClassicResources": "[steps('core').denyClassicResources]",
"denyVMUnmanagedDisk": "[steps('core').denyVMUnmanagedDisk]",
"enablePrivateSubnet": "[steps('core').enablePrivateSubnet]",
"telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]",
"enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]",
"enforceBackupPlat": "[steps('management').esPlatformMgmtGroup.enforceBackupPlat]",
Expand Down
63 changes: 63 additions & 0 deletions eslzArm/eslzArm.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,15 @@
"defaultValue": "",
"maxLength": 36
},
"enablePrivateSubnet": {
"type": "string",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
]
},
"telemetryOptOut": {
"type": "string",
"defaultValue": "No",
Expand Down Expand Up @@ -1634,6 +1643,7 @@
"resourceRgLocationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json')]",
"VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]",
"diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]",
"privateSubnetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json')]",
// references to https://github.com/Azure/azure-monitor-baseline-alerts
"monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]",
"azureUpdateManagerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json')]",
Expand Down Expand Up @@ -1764,6 +1774,7 @@
"mdEndpointsDeploymentName": "[take(concat('alz-MDEndpoints', variables('deploymentSuffix')), 64)]",
"mdEndpointsAMADeploymentName": "[take(concat('alz-MDEndpointsAMA', variables('deploymentSuffix')), 64)]",
"corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]",
"privateSubnetDeploymentName": "[take(concat('alz-pvtSubnet', variables('deploymentSuffix')), 64)]",
"pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
"denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]",
"costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]",
Expand Down Expand Up @@ -6388,6 +6399,58 @@
}
}
},
{
"condition": "[or(equals(parameters('enablePrivateSubnet'), 'Yes'), equals(parameters('enablePrivateSubnet'), 'Audit'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[variables('deploymentNames').privateSubnetDeploymentName]",
"scope": "[variables('scopes').platformManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
"policyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').privateSubnetPolicyAssignment]"
},
"parameters": {
"enforcementMode": {
"value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]"
},
"effect": {
"value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Deny', 'Audit')]"
}
}
}
},
{
"condition": "[or(equals(parameters('enablePrivateSubnet'), 'Yes'), equals(parameters('enablePrivateSubnet'), 'Audit'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[variables('deploymentNames').privateSubnetDeploymentName]",
"scope": "[variables('scopes').lzsManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
"policyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').privateSubnetPolicyAssignment]"
},
"parameters": {
"enforcementMode": {
"value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]"
},
"effect": {
"value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Deny', 'Audit')]"
}
}
}
},
{
// Assigning deny storage without https policy to landing zones management group if condition is true
"condition": "[or(equals(parameters('enableStorageHttps'), 'Yes'), equals(parameters('enableStorageHttps'), 'Audit'))]",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"effect": {
"type": "string",
"allowedValues": [
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
},
"nonComplianceMessagePlaceholder": {
"type": "string",
"defaultValue": "{enforcementMode}"
}
},
"variables": {
"policyDefinitions": {
"privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837"
},
"policyAssignmentNames": {
"privateSubnet": "Enforce-Subnet-private",
Springstone marked this conversation as resolved.
Show resolved Hide resolved
"description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
"displayName": "Subnets should be private"
},
"nonComplianceMessage": {
"message": "Subnets {enforcementMode} be private.",
"Default": "must",
"DoNotEnforce": "should"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "[variables('policyAssignmentNames').privateSubnet]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').privateSubnet]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
"message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
}
],
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
}
}
],
"outputs": {}
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "15544708819382265845"
"templateHash": "14175278704503096"
}
},
"parameters": {
Expand Down
Loading
Loading