Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ALZ Policy Version Pinning Update #1853

Merged
merged 12 commits into from
Nov 29, 2024
Merged

ALZ Policy Version Pinning Update #1853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ae78641
Update policy set definitions to version 1.1.0 and adjust definition …
Springstone Nov 18, 2024
3337188
Update policy set definitions to version 1.1.0 and adjust definition …
Springstone Nov 18, 2024
3f1d761
Merge branch 'policy-refresh-q2fy25' of https://github.com/Azure/Ente…
Springstone Nov 18, 2024
4a99e45
Update policy set definitions to version 1.1.0 and adjust definition …
Springstone Nov 18, 2024
14ac1ee
Update policy set definitions to version 1.1.0 and add enableTvmCheck…
Springstone Nov 18, 2024
0c5a67e
Update AUDIT-AppGwWafPolicyAssignment to use API version 2024-04-01 a…
Springstone Nov 19, 2024
a2f2f5a
.
Springstone Nov 19, 2024
18cef2f
.
Springstone Nov 19, 2024
aee24a8
.
Springstone Nov 19, 2024
be7af87
Update policy assignments to use API version 2024-04-01 and add polic…
Springstone Nov 21, 2024
e8f8ce5
Merge branch 'policy-refresh-q2fy25' of https://github.com/Azure/Ente…
Springstone Nov 29, 2024
fc9071e
Doc update
Springstone Nov 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/wiki/Whats-new.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:

### 🔃 Policy Refresh Q2 FY25

- *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version.
- Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group.
- Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html).
- Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder.
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@
},
"variables": {
"policyDefinitions": {
"auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66"
"auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
"policyVersion": "2.*.*"
},
"policyAssignmentNames": {
"auditWAF": "Audit-AppGW-WAF",
Expand All @@ -42,12 +43,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').auditWAF]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').auditWAF]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions .../managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a"
"auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
"policyVersion": "2.*.*"
},
"policyAssignmentNames": {
"auditRGL": "Audit-ResourceRGLocation",
Expand All @@ -33,12 +34,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').auditRGL]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').auditRGL]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@
},
"variables": {
"policyDefinitions": {
"auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5"
"auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5",
"policyVersion": "1.*.*-preview"
},
"policyAssignmentNames": {
"auditZR": "Audit-ZoneResiliency",
Expand All @@ -51,12 +52,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').auditZR]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').auditZR]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions ...rm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
},
"variables": {
"policyDefinitions": {
"denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99"
"denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
"policyVersion": "7.*.*"
},
"policyAssignmentNames": {
"denyAksNoPrivEsc": "Deny-Priv-Esc-AKS",
Expand All @@ -24,12 +25,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
},
"variables": {
"policyDefinitions": {
"denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"
"denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
"policyVersion": "9.*.*"
},
"policyAssignmentNames": {
"denyAksPriv": "Deny-Privileged-AKS",
Expand All @@ -24,12 +25,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyAksPriv]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
},
"variables": {
"policyDefinitions": {
"denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"
"denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
"policyVersion": "8.*.*"
},
"policyAssignmentNames": {
"denyHttpIngressAks": "Enforce-AKS-HTTPS",
Expand All @@ -24,12 +25,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyHttpIngressAks]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
Expand Down
6 changes: 4 additions & 2 deletions ...managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
},
"variables": {
"policyDefinitions": {
"denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
"denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"policyVersion": "2.*.*"
},
"policyAssignmentNames": {
"denyClassicResources": "Deny-Classic-Resources",
Expand All @@ -41,12 +42,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyClassicResources]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyClassicResources]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions ...Arm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
},
"variables": {
"policyDefinitions": {
"denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
"denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"policyVersion": "2.*.*"
},
"policyAssignmentNames": {
"denyHybridNetworking": "Deny-HybridNetworking",
Expand All @@ -41,12 +42,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyHybridNetworking]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyHybridNetworking]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
8 changes: 5 additions & 3 deletions eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900"
"denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900",
"policyVersion": "1.*.*"
},
"policyAssignmentNames": {
"denyIpForwarding": "Deny-IP-forwarding",
Expand All @@ -33,7 +34,7 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyIpForwarding]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
Expand All @@ -44,7 +45,8 @@
"message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
}
],
"policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]"
"policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]"
}
}
],
Expand Down
6 changes: 4 additions & 2 deletions ...managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114"
"denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114",
"policyVersion": "1.*.*"
},
"policyAssignmentNames": {
"denyPipOnNIC": "Deny-Public-IP-On-NIC",
Expand All @@ -33,12 +34,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyPipOnNic]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyPipOnNic]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
"denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"policyVersion": "2.*.*"
},
"policyAssignmentNames": {
"denyPip": "Deny-Public-IP",
Expand All @@ -33,12 +34,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyPip]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyPip]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions .../managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9"
"storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
"policyVersion": "2.*.*"
},
"policyAssignmentNames": {
"storageHttps": "Deny-Storage-http",
Expand All @@ -33,12 +34,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').storageHttps]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').storageHttps]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
"denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d",
"policyVersion": "1.*.*"
},
"policyAssignmentNames": {
"denyVMUnmanagedDisk": "Deny-UnmanagedDisk",
Expand All @@ -33,12 +34,13 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').denyVMUnmanagedDisk]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyVMUnmanagedDisk]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
},
"variables": {
"policyDefinitions": {
"ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
"ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
"policyVersion": "57.*.*"
},
"policyAssignmentNames": {
"ascMonitoring": "Deploy-ASC-Monitoring",
Expand All @@ -33,7 +34,7 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').ascMonitoring]",
"location": "[deployment().location]",
"identity": {
Expand All @@ -43,6 +44,7 @@
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
6 changes: 4 additions & 2 deletions eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@
},
"variables": {
"policyDefinitions": {
"deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f"
"deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
"policyVersion": "1.*.*"
},
"policyAssignmentNames": {
"azureActivityLog": "Deploy-AzActivity-Log",
Expand All @@ -51,7 +52,7 @@
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"apiVersion": "2024-04-01",
"name": "[variables('policyAssignmentNames').azureActivityLog]",
"location": "[deployment().location]",
"identity": {
Expand All @@ -61,6 +62,7 @@
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]",
"definitionVersion": "[variables('policyDefinitions').policyVersion]",
"enforcementMode": "[parameters('enforcementMode')]",
"nonComplianceMessages": [
{
Expand Down
Loading