feat: update platform/alz library (automated) (#76)

This is an automated 'pull_request' containing updates to the library templates stored in 'platform/alz'.\n Please review the 'files changed' tab to review changes. --------- Co-authored-by: github-actions <action@github.com> Co-authored-by: Matt White <16320656+matt-FFFFFF@users.noreply.github.com>
Azure · Oct 16, 2024 · e8d6d56 · e8d6d56
1 parent 9f920be
commit e8d6d56
Show file tree

Hide file tree

Showing 99 changed files with 604 additions and 1,003 deletions.
diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml
@@ -86,7 +86,6 @@ jobs:
           inlineScript: |
             Write-Information "==> Running policy definitions in archetype definitions script..." -InformationAction Continue
             ${{ github.repository }}/platform/alz/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1 `
-              -AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
               -TargetPath "${{ github.workspace }}/${{ github.repository }}" `
               -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
           azPSVersion: "latest"
@@ -97,7 +96,6 @@ jobs:
           inlineScript: |
             Write-Information "==> Running policy assignments and archetypes script..." -InformationAction Continue
             ${{ github.repository }}/platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 `
-              -AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
               -TargetPath "${{ github.workspace }}/${{ github.repository }}" `
               -SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
           azPSVersion: "latest"

diff --git a/platform/alz/README.md b/platform/alz/README.md
@@ -116,7 +116,6 @@ flowchart TD
 - Deny-Privileged-AKS
 - Deny-Storage-http
 - Deny-Subnet-Without-Nsg
-- Deploy-AKS-Policy
 - Deploy-AzSqlDb-Auditing
 - Deploy-MDFC-DefSQL-AMA
 - Deploy-SQL-TDE
@@ -133,23 +132,15 @@ flowchart TD
 - Enforce-AKS-HTTPS
 - Enforce-ASR
 - Enforce-GR-KeyVault
+- Enforce-Subnet-Private
 - Enforce-TLS-SSL-H224
 </details>
 
-### archetype `management`
-
-#### management policy assignments
-
-<details><summary>1 policy assignments</summary>
-
-- Deploy-Log-Analytics
-</details>
-
 ### archetype `platform`
 
 #### platform policy assignments
 
-<details><summary>11 policy assignments</summary>
+<details><summary>12 policy assignments</summary>
 
 - DenyAction-DeleteUAMIAMA
 - Deploy-MDFC-DefSQL-AMA
@@ -162,6 +153,7 @@ flowchart TD
 - Enable-AUM-CheckUpdates
 - Enforce-ASR
 - Enforce-GR-KeyVault
+- Enforce-Subnet-Private
 </details>
 
 ### archetype `root`
@@ -332,7 +324,7 @@ flowchart TD
 
 #### root policy set definitions
 
-<details><summary>45 policy set definitions</summary>
+<details><summary>46 policy set definitions</summary>
 
 - Audit-TrustedLaunch
 - Audit-UnusedResourcesCostOptimization
@@ -356,6 +348,7 @@ flowchart TD
 - Enforce-Guardrails-APIM
 - Enforce-Guardrails-AppServices
 - Enforce-Guardrails-Automation
+- Enforce-Guardrails-BotService
 - Enforce-Guardrails-CognitiveServices
 - Enforce-Guardrails-Compute
 - Enforce-Guardrails-ContainerApps
@@ -393,7 +386,7 @@ flowchart TD
 - Deny-UnmanagedDisk
 - Deploy-ASC-Monitoring
 - Deploy-AzActivity-Log
-- Deploy-Diag-Logs
+- Deploy-Diag-LogsCat
 - Deploy-MDEndpoints
 - Deploy-MDEndpointsAMA
 - Deploy-MDFC-Config-H224
@@ -527,24 +520,6 @@ The following policy default values are available in this library:
 - dcrResourceId
 </details>
 
-### default name `automation_account_location`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- automationRegion
-</details>
-
-### default name `automation_account_name`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- automationAccountName
-</details>
-
 ### default name `ddos_protection_plan_id`
 
 #### assignment `Enable-DDoS-VNET`
@@ -598,51 +573,6 @@ The following policy default values are available in this library:
 - userWorkspaceResourceId
 </details>
 
-### default name `log_analytics_workspace_location`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- workspaceRegion
-</details>
-
-### default name `log_analytics_workspace_name`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- workspaceName
-</details>
-
-### default name `log_analytics_workspace_resource_group_name`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- rgName
-</details>
-
-### default name `log_analytics_workspace_retention_in_days`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- dataRetention
-</details>
-
-### default name `log_analytics_workspace_sku`
-
-#### assignment `Deploy-Log-Analytics`
-
-<details><summary>1 parameter names</summary>
-
-- sku
-</details>
-
 ### default name `private_dns_zone_app`
 
 #### assignment `Deploy-Private-DNS-Zones`
@@ -1334,7 +1264,7 @@ The following policy default values are available in this library:
 
 ### all policy set definitions
 
-<details><summary>45 policy set definitions</summary>
+<details><summary>46 policy set definitions</summary>
 
 - Audit-TrustedLaunch
 - Audit-UnusedResourcesCostOptimization
@@ -1358,6 +1288,7 @@ The following policy default values are available in this library:
 - Enforce-Guardrails-APIM
 - Enforce-Guardrails-AppServices
 - Enforce-Guardrails-Automation
+- Enforce-Guardrails-BotService
 - Enforce-Guardrails-CognitiveServices
 - Enforce-Guardrails-Compute
 - Enforce-Guardrails-ContainerApps
@@ -1385,58 +1316,40 @@ The following policy default values are available in this library:
 
 ### all policy assignments
 
-<details><summary>69 policy assignments</summary>
+<details><summary>49 policy assignments</summary>
 
 - Audit-AppGW-WAF
 - Audit-PeDnsZones
 - Audit-ResourceRGLocation
 - Audit-TrustedLaunch
 - Audit-UnusedResources
 - Audit-ZoneResiliency
-- Deny-AppGW-Without-WAF
 - Deny-Classic-Resources
-- Deny-DataB-Pip
-- Deny-DataB-Sku
-- Deny-DataB-Vnet
 - Deny-HybridNetworking
 - Deny-IP-forwarding
 - Deny-MgmtPorts-Internet
 - Deny-Priv-Esc-AKS
-- Deny-Private-DNS-Zones
 - Deny-Privileged-AKS
 - Deny-Public-Endpoints
 - Deny-Public-IP
 - Deny-Public-IP-On-NIC
-- Deny-RDP-From-Internet
-- Deny-RSG-Locations
-- Deny-Resource-Locations
-- Deny-Resource-Types
 - Deny-Storage-http
 - Deny-Subnet-Without-Nsg
-- Deny-Subnet-Without-Udr
 - Deny-UnmanagedDisk
 - DenyAction-DeleteUAMIAMA
-- Deploy-AKS-Policy
 - Deploy-ASC-Monitoring
 - Deploy-AzActivity-Log
 - Deploy-AzSqlDb-Auditing
-- Deploy-Diag-Logs
-- Deploy-Log-Analytics
+- Deploy-Diag-LogsCat
 - Deploy-MDEndpoints
 - Deploy-MDEndpointsAMA
-- Deploy-MDFC-Config
 - Deploy-MDFC-Config-H224
 - Deploy-MDFC-DefSQL-AMA
-- Deploy-MDFC-DefenSQL-AMA
 - Deploy-MDFC-OssDb
 - Deploy-MDFC-SqlAtp
 - Deploy-Private-DNS-Zones
-- Deploy-Resource-Diag
-- Deploy-SQL-DB-Auditing
-- Deploy-SQL-Security
 - Deploy-SQL-TDE
 - Deploy-SQL-Threat
-- Deploy-UAMI-VMInsights
 - Deploy-VM-Backup
 - Deploy-VM-ChangeTrack
 - Deploy-VM-Monitoring
@@ -1445,16 +1358,14 @@ The following policy default values are available in this library:
 - Deploy-vmArc-ChangeTrack
 - Deploy-vmHybr-Monitoring
 - Enable-AUM-CheckUpdates
-- Enable-AUM-VM-Windows
-- Enable-AUM-VMHyb-Windows
 - Enable-DDoS-VNET
 - Enforce-ACSB
 - Enforce-AKS-HTTPS
 - Enforce-ALZ-Decomm
 - Enforce-ALZ-Sandbox
 - Enforce-ASR
 - Enforce-GR-KeyVault
-- Enforce-TLS-SSL
+- Enforce-Subnet-Private
 - Enforce-TLS-SSL-H224
 </details>
 

diff --git a/platform/alz/alz_policy_default_values.json b/platform/alz/alz_policy_default_values.json
@@ -104,28 +104,6 @@
         }
       ]
     },
-    {
-      "default_name": "automation_account_location",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "automationRegion"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
-    {
-      "default_name": "automation_account_name",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "automationAccountName"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
     {
       "default_name": "ddos_protection_plan_id",
       "policy_assignments": [
@@ -178,61 +156,6 @@
         }
       ]
     },
-    {
-      "default_name": "log_analytics_workspace_location",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "workspaceRegion"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
-    {
-      "default_name": "log_analytics_workspace_name",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "workspaceName"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
-    {
-      "default_name": "log_analytics_workspace_resource_group_name",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "rgName"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
-    {
-      "default_name": "log_analytics_workspace_retention_in_days",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "dataRetention"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
-    {
-      "default_name": "log_analytics_workspace_sku",
-      "policy_assignments": [
-        {
-          "parameter_names": [
-            "sku"
-          ],
-          "policy_assignment_name": "Deploy-Log-Analytics"
-        }
-      ]
-    },
     {
       "default_name": "private_dns_zone_managed_grafana_workspace",
       "policy_assignments": [

diff --git a/platform/alz/archetype_definitions/landing_zones.alz_archetype_definition.json b/platform/alz/archetype_definitions/landing_zones.alz_archetype_definition.json
@@ -9,7 +9,6 @@
     "Deny-Privileged-AKS",
     "Deny-Storage-http",
     "Deny-Subnet-Without-Nsg",
-    "Deploy-AKS-Policy",
     "Deploy-AzSqlDb-Auditing",
     "Deploy-MDFC-DefSQL-AMA",
     "Deploy-SQL-TDE",
@@ -26,6 +25,7 @@
     "Enforce-AKS-HTTPS",
     "Enforce-ASR",
     "Enforce-GR-KeyVault",
+    "Enforce-Subnet-Private",
     "Enforce-TLS-SSL-H224"
   ],
   "policy_definitions": [],

diff --git a/platform/alz/archetype_definitions/management.alz_archetype_definition.json b/platform/alz/archetype_definitions/management.alz_archetype_definition.json
@@ -1,9 +1,7 @@
 {
   "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/archetype_definition.json",
   "name": "management",
-  "policy_assignments": [
-    "Deploy-Log-Analytics"
-  ],
+  "policy_assignments": [],
   "policy_definitions": [],
   "policy_set_definitions": [],
   "role_definitions": []

diff --git a/platform/alz/archetype_definitions/platform.alz_archetype_definition.json b/platform/alz/archetype_definitions/platform.alz_archetype_definition.json
@@ -12,7 +12,8 @@
     "Deploy-VMSS-Monitoring",
     "Enable-AUM-CheckUpdates",
     "Enforce-ASR",
-    "Enforce-GR-KeyVault"
+    "Enforce-GR-KeyVault",
+    "Enforce-Subnet-Private"
   ],
   "policy_definitions": [],
   "policy_set_definitions": [],