diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
index a84b8c1..266314e 100644
--- a/.github/workflows/pr-check.yml
+++ b/.github/workflows/pr-check.yml
@@ -54,7 +54,7 @@ jobs:
- name: Set up go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
- check-latest: true
+ go-version: 'stable'
- name: Install alzlibtool
run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.18.0
diff --git a/.github/workflows/update-alz.yml b/.github/workflows/update-alz.yml
index 45f5739..8b5bbf9 100644
--- a/.github/workflows/update-alz.yml
+++ b/.github/workflows/update-alz.yml
@@ -40,6 +40,8 @@ jobs:
- name: setup go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+ with:
+ go-version: 'stable'
- name: install alzlibtool
run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.18.0
@@ -83,7 +85,7 @@ jobs:
with:
inlineScript: |
Write-Information "==> Running policy assignments and archetypes script..." -InformationAction Continue
- ${{ github.repository }}/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 `
+ ${{ github.repository }}/platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 `
-AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
-TargetPath "${{ github.workspace }}/${{ github.repository }}" `
-SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
diff --git a/platform/alz/README.md b/platform/alz/README.md
index 12f865e..a165ae8 100644
--- a/platform/alz/README.md
+++ b/platform/alz/README.md
@@ -17,9 +17,9 @@ provider "alz" {
## Architectures
-The following architectures are available in this library:
+The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes:
-### `alz`
+### architecture `alz`
> [!NOTE]
> This hierarchy will be deployed as a child of the user-supplied root management group.
@@ -50,18 +50,18 @@ flowchart TD
## Archetypes
-### `connectivity`
+### archetype `connectivity`
-#### Policy Assignments
+#### connectivity policy assignments
1 policy assignments
- Enable-DDoS-VNET
5 policy assignments
@@ -72,18 +72,18 @@ flowchart TD
- Deploy-Private-DNS-Zones
1 policy assignments
- Enforce-ALZ-Decomm
4 policy assignments
@@ -93,9 +93,9 @@ flowchart TD
- Deploy-VM-Backup
25 policy assignments
@@ -126,18 +126,18 @@ flowchart TD
- Enforce-TLS-SSL-H224
1 policy assignments
- Deploy-Log-Analytics
11 policy assignments
@@ -154,9 +154,9 @@ flowchart TD
- Enforce-GR-KeyVault
158 policy definitions
@@ -320,7 +320,7 @@ flowchart TD
- Modify-UDR
45 policy set definitions
@@ -371,7 +371,7 @@ flowchart TD
- Enforce-Guardrails-VirtualDesktop
15 policy assignments
@@ -392,7 +392,7 @@ flowchart TD
- Enforce-ACSB
5 role definitions
@@ -403,19 +403,720 @@ flowchart TD
- Subscription-Owner
1 policy assignments
- Enforce-ALZ-Sandbox
1 parameter names
+
+- userAssignedIdentityResourceId
+1 parameter names
+
+- userAssignedIdentityResourceId
+1 parameter names
+
+- userAssignedIdentityResourceId
+1 parameter names
+
+- resourceName
+1 parameter names
+
+- dcrResourceId
+1 parameter names
+
+- dcrResourceId
+1 parameter names
+
+- dcrResourceId
+1 parameter names
+
+- automationRegion
+1 parameter names
+
+- automationAccountName
+1 parameter names
+
+- ddosPlan
+1 parameter names
+
+- logAnalytics
+1 parameter names
+
+- logAnalyticsWorkspaceId
+1 parameter names
+
+- logAnalytics
+1 parameter names
+
+- logAnalytics
+1 parameter names
+
+- logAnalytics
+1 parameter names
+
+- userWorkspaceResourceId
+1 parameter names
+
+- workspaceRegion
+1 parameter names
+
+- workspaceName
+1 parameter names
+
+- rgName
+1 parameter names
+
+- dataRetention
+1 parameter names
+
+- sku
+1 parameter names
+
+- azureAppPrivateDnsZoneId
+1 parameter names
+
+- azureAppServicesPrivateDnsZoneId
+1 parameter names
+
+- azureArcGuestconfigurationPrivateDnsZoneId
+1 parameter names
+
+- azureArcHybridResourceProviderPrivateDnsZoneId
+1 parameter names
+
+- azureArcKubernetesConfigurationPrivateDnsZoneId
+1 parameter names
+
+- azureAsrPrivateDnsZoneId
+1 parameter names
+
+- azureAutomationDSCHybridPrivateDnsZoneId
+1 parameter names
+
+- azureAutomationWebhookPrivateDnsZoneId
+1 parameter names
+
+- azureBatchPrivateDnsZoneId
+1 parameter names
+
+- azureCognitiveSearchPrivateDnsZoneId
+1 parameter names
+
+- azureCognitiveServicesPrivateDnsZoneId
+1 parameter names
+
+- azureCosmosCassandraPrivateDnsZoneId
+1 parameter names
+
+- azureCosmosGremlinPrivateDnsZoneId
+1 parameter names
+
+- azureCosmosMongoPrivateDnsZoneId
+1 parameter names
+
+- azureCosmosSQLPrivateDnsZoneId
+1 parameter names
+
+- azureCosmosTablePrivateDnsZoneId
+1 parameter names
+
+- azureDataFactoryPrivateDnsZoneId
+1 parameter names
+
+- azureDataFactoryPortalPrivateDnsZoneId
+1 parameter names
+
+- azureDiskAccessPrivateDnsZoneId
+1 parameter names
+
+- azureEventGridDomainsPrivateDnsZoneId
+1 parameter names
+
+- azureEventGridTopicsPrivateDnsZoneId
+1 parameter names
+
+- azureEventHubNamespacePrivateDnsZoneId
+1 parameter names
+
+- azureFilePrivateDnsZoneId
+1 parameter names
+
+- azureHDInsightPrivateDnsZoneId
+1 parameter names
+
+- azureIotPrivateDnsZoneId
+1 parameter names
+
+- azureIotHubsPrivateDnsZoneId
+1 parameter names
+
+- azureKeyVaultPrivateDnsZoneId
+1 parameter names
+
+- azureMachineLearningWorkspacePrivateDnsZoneId
+1 parameter names
+
+- azureManagedGrafanaWorkspacePrivateDnsZoneId
+1 parameter names
+
+- azureMediaServicesKeyPrivateDnsZoneId
+1 parameter names
+
+- azureMediaServicesLivePrivateDnsZoneId
+1 parameter names
+
+- azureMediaServicesStreamPrivateDnsZoneId
+1 parameter names
+
+- azureMigratePrivateDnsZoneId
+1 parameter names
+
+- azureMonitorPrivateDnsZoneId1
+1 parameter names
+
+- azureMonitorPrivateDnsZoneId2
+1 parameter names
+
+- azureMonitorPrivateDnsZoneId3
+1 parameter names
+
+- azureMonitorPrivateDnsZoneId4
+1 parameter names
+
+- azureMonitorPrivateDnsZoneId5
+1 parameter names
+
+- azureRedisCachePrivateDnsZoneId
+1 parameter names
+
+- azureServiceBusNamespacePrivateDnsZoneId
+1 parameter names
+
+- azureSignalRPrivateDnsZoneId
+1 parameter names
+
+- azureSiteRecoveryBlobPrivateDnsZoneID
+1 parameter names
+
+- azureSiteRecoveryQueuePrivateDnsZoneID
+1 parameter names
+
+- azureStorageBlobPrivateDnsZoneId
+1 parameter names
+
+- azureStorageBlobSecPrivateDnsZoneId
+1 parameter names
+
+- azureStorageDFSPrivateDnsZoneId
+1 parameter names
+
+- azureStorageDFSSecPrivateDnsZoneId
+1 parameter names
+
+- azureStorageFilePrivateDnsZoneId
+1 parameter names
+
+- azureStorageQueuePrivateDnsZoneId
+1 parameter names
+
+- azureStorageQueueSecPrivateDnsZoneId
+1 parameter names
+
+- azureStorageStaticWebPrivateDnsZoneId
+1 parameter names
+
+- azureStorageStaticWebSecPrivateDnsZoneId
+1 parameter names
+
+- azureSynapseDevPrivateDnsZoneId
+1 parameter names
+
+- azureSynapseSQLPrivateDnsZoneId
+1 parameter names
+
+- azureSynapseSQLODPrivateDnsZoneId
+1 parameter names
+
+- azureVirtualDesktopHostpoolPrivateDnsZoneId
+1 parameter names
+
+- azureVirtualDesktopWorkspacePrivateDnsZoneId
+1 parameter names
+
+- azureWebPrivateDnsZoneId
+158 policy definitions
@@ -579,7 +1280,7 @@ flowchart TD
- Modify-UDR
45 policy set definitions
@@ -630,7 +1331,7 @@ flowchart TD
- Enforce-Guardrails-VirtualDesktop
69 policy assignments
@@ -705,7 +1406,7 @@ flowchart TD
- Enforce-TLS-SSL-H224
5 role definitions
diff --git a/platform/alz/policy_assignment_default_values/alz_policy_default_values.json b/platform/alz/policy_assignment_default_values/alz_policy_default_values.json
new file mode 100644
index 0000000..1661146
--- /dev/null
+++ b/platform/alz/policy_assignment_default_values/alz_policy_default_values.json
@@ -0,0 +1,839 @@
+{
+ "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/default_policy_values.json",
+ "defaults": [
+ {
+ "default_name": "ama_user_assigned_managed_identity_id",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "userAssignedIdentityResourceId"
+ ],
+ "policy_assignment_name": "Deploy-VM-ChangeTrack"
+ },
+ {
+ "parameter_names": [
+ "userAssignedIdentityResourceId"
+ ],
+ "policy_assignment_name": "Deploy-vmArc-ChangeTrack"
+ },
+ {
+ "parameter_names": [
+ "userAssignedIdentityResourceId"
+ ],
+ "policy_assignment_name": "Deploy-VMSS-ChangeTrack"
+ }
+ ]
+ },
+ {
+ "default_name": "ama_user_assigned_managed_identity_name",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "resourceName"
+ ],
+ "policy_assignment_name": "DenyAction-DeleteUAMIAMA"
+ }
+ ]
+ },
+ {
+ "default_name": "ama_vm_change_tracking_data_collection_rule_id",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "dcrResourceId"
+ ],
+ "policy_assignment_name": "Deploy-VM-ChangeTrack"
+ }
+ ]
+ },
+ {
+ "default_name": "ama_vmarc_change_tracking_data_collection_rule_id",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "dcrResourceId"
+ ],
+ "policy_assignment_name": "Deploy-vmArc-ChangeTrack"
+ }
+ ]
+ },
+ {
+ "default_name": "ama_vmss_change_tracking_data_collection_rule_id",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "dcrResourceId"
+ ],
+ "policy_assignment_name": "Deploy-VMSS-ChangeTrack"
+ }
+ ]
+ },
+ {
+ "default_name": "automation_account_location",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "automationRegion"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "automation_account_name",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "automationAccountName"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "ddos_protection_plan_id",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "ddosPlan"
+ ],
+ "policy_assignment_name": "Enable-DDoS-VNET"
+ }
+ ]
+ },
+ {
+ "default_name": "log_analytics_workspace_id",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "logAnalytics"
+ ],
+ "policy_assignment_name": "Deploy-AzActivity-Log"
+ },
+ {
+ "parameter_names": [
+ "logAnalyticsWorkspaceId"
+ ],
+ "policy_assignment_name": "Deploy-AzSqlDb-Auditing"
+ },
+ {
+ "parameter_names": [
+ "logAnalytics"
+ ],
+ "policy_assignment_name": "Deploy-Diag-Logs"
+ },
+ {
+ "parameter_names": [
+ "logAnalytics"
+ ],
+ "policy_assignment_name": "Deploy-MDFC-Config-H224"
+ },
+ {
+ "parameter_names": [
+ "logAnalytics"
+ ],
+ "policy_assignment_name": "Deploy-MDFC-Config"
+ },
+ {
+ "parameter_names": [
+ "userWorkspaceResourceId"
+ ],
+ "policy_assignment_name": "Deploy-MDFC-DefSQL-AMA"
+ }
+ ]
+ },
+ {
+ "default_name": "log_analytics_workspace_location",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "workspaceRegion"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "log_analytics_workspace_name",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "workspaceName"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "log_analytics_workspace_resource_group_name",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "rgName"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "log_analytics_workspace_retention_in_days",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "dataRetention"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "log_analytics_workspace_sku",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "sku"
+ ],
+ "policy_assignment_name": "Deploy-Log-Analytics"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_managed_grafana_workspace",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureManagedGrafanaWorkspacePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_arc_kubernetes_configuration",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureArcKubernetesConfigurationPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_arc_hybrid_resource_provider",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureArcHybridResourceProviderPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_arc_guestconfiguration",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureArcGuestconfigurationPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_app",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureAppPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_app_services",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureAppServicesPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_asr",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureAsrPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_automation_dsc_hybrid",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureAutomationDSCHybridPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_automation_webhook",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureAutomationWebhookPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_batch",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureBatchPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cognitive_search",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCognitiveSearchPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cognitive_services",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCognitiveServicesPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cosmos_cassandra",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCosmosCassandraPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cosmos_gremlin",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCosmosGremlinPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cosmos_mongo",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCosmosMongoPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cosmos_sql",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCosmosSQLPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_cosmos_table",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureCosmosTablePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_data_factory_portal",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureDataFactoryPortalPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_data_factory",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureDataFactoryPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_disk_access",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureDiskAccessPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_event_grid_domains",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureEventGridDomainsPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_event_grid_topics",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureEventGridTopicsPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_event_hub_namespace",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureEventHubNamespacePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_file",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureFilePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_hdinsight",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureHDInsightPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_iot_hubs",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureIotHubsPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_iot",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureIotPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_key_vault",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureKeyVaultPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_machine_learning_workspace",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMachineLearningWorkspacePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_media_services_key",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMediaServicesKeyPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_media_services_live",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMediaServicesLivePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_media_services_stream",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMediaServicesStreamPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_migrate",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMigratePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_monitor_1",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMonitorPrivateDnsZoneId1"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_monitor_2",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMonitorPrivateDnsZoneId2"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_monitor_3",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMonitorPrivateDnsZoneId3"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_monitor_4",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMonitorPrivateDnsZoneId4"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_monitor_5",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureMonitorPrivateDnsZoneId5"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_redis_cache",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureRedisCachePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_service_bus_namespace",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureServiceBusNamespacePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_signal_r",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureSignalRPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_blob",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageBlobPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_blob_sec",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageBlobSecPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_dfs",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageDFSPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_dfs_sec",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageDFSSecPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_file",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageFilePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_queue",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageQueuePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_queue_sec",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageQueueSecPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_static_web",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageStaticWebPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_storage_static_web_sec",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureStorageStaticWebSecPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_synapse_dev",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureSynapseDevPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_synapse_sql_od",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureSynapseSQLODPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_synapse_sql",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureSynapseSQLPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_web",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureWebPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_virtual_desktop_hostpool",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureVirtualDesktopHostpoolPrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_virtual_desktop_workspace",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureVirtualDesktopWorkspacePrivateDnsZoneId"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_site_recovery_blob",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureSiteRecoveryBlobPrivateDnsZoneID"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ },
+ {
+ "default_name": "private_dns_zone_site_recovery_queue",
+ "policy_assignments": [
+ {
+ "parameter_names": [
+ "azureSiteRecoveryQueuePrivateDnsZoneID"
+ ],
+ "policy_assignment_name": "Deploy-Private-DNS-Zones"
+ }
+ ]
+ }
+ ]
+}
diff --git a/platform/alz/policy_assignments/denyaction_deleteuamiama.alz_policy_assignment.json b/platform/alz/policy_assignments/denyaction_deleteuamiama.alz_policy_assignment.json
index d971523..83321cb 100644
--- a/platform/alz/policy_assignments/denyaction_deleteuamiama.alz_policy_assignment.json
+++ b/platform/alz/policy_assignments/denyaction_deleteuamiama.alz_policy_assignment.json
@@ -16,7 +16,7 @@
"value": "defaultString3"
},
"resourceType": {
- "value": "defaultString4"
+ "value": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
},
"scope": "/providers/Microsoft.Management/managementGroups/placeholder",
diff --git a/platform/alz/scripts/CreatePrivateDnsZoneDefaultArray.ps1 b/platform/alz/scripts/CreatePrivateDnsZoneDefaultArray.ps1
new file mode 100644
index 0000000..e4f396a
--- /dev/null
+++ b/platform/alz/scripts/CreatePrivateDnsZoneDefaultArray.ps1
@@ -0,0 +1,100 @@
+$privateDnsZoneIds = @(
+ "azureManagedGrafanaWorkspacePrivateDnsZoneId",
+ "azureArcKubernetesConfigurationPrivateDnsZoneId",
+ "azureArcHybridResourceProviderPrivateDnsZoneId",
+ "azureArcGuestconfigurationPrivateDnsZoneId",
+ "azureAppPrivateDnsZoneId",
+ "azureAppServicesPrivateDnsZoneId",
+ "azureAsrPrivateDnsZoneId",
+ "azureAutomationDSCHybridPrivateDnsZoneId",
+ "azureAutomationWebhookPrivateDnsZoneId",
+ "azureBatchPrivateDnsZoneId",
+ "azureCognitiveSearchPrivateDnsZoneId",
+ "azureCognitiveServicesPrivateDnsZoneId",
+ "azureCosmosCassandraPrivateDnsZoneId",
+ "azureCosmosGremlinPrivateDnsZoneId",
+ "azureCosmosMongoPrivateDnsZoneId",
+ "azureCosmosSQLPrivateDnsZoneId",
+ "azureCosmosTablePrivateDnsZoneId",
+ "azureDataFactoryPortalPrivateDnsZoneId",
+ "azureDataFactoryPrivateDnsZoneId",
+ "azureDiskAccessPrivateDnsZoneId",
+ "azureEventGridDomainsPrivateDnsZoneId",
+ "azureEventGridTopicsPrivateDnsZoneId",
+ "azureEventHubNamespacePrivateDnsZoneId",
+ "azureFilePrivateDnsZoneId",
+ "azureHDInsightPrivateDnsZoneId",
+ "azureIotHubsPrivateDnsZoneId",
+ "azureIotPrivateDnsZoneId",
+ "azureKeyVaultPrivateDnsZoneId",
+ "azureMachineLearningWorkspacePrivateDnsZoneId",
+ "azureMediaServicesKeyPrivateDnsZoneId",
+ "azureMediaServicesLivePrivateDnsZoneId",
+ "azureMediaServicesStreamPrivateDnsZoneId",
+ "azureMigratePrivateDnsZoneId",
+ "azureMonitorPrivateDnsZoneId1",
+ "azureMonitorPrivateDnsZoneId2",
+ "azureMonitorPrivateDnsZoneId3",
+ "azureMonitorPrivateDnsZoneId4",
+ "azureMonitorPrivateDnsZoneId5",
+ "azureRedisCachePrivateDnsZoneId",
+ "azureServiceBusNamespacePrivateDnsZoneId",
+ "azureSignalRPrivateDnsZoneId",
+ "azureStorageBlobPrivateDnsZoneId",
+ "azureStorageBlobSecPrivateDnsZoneId",
+ "azureStorageDFSPrivateDnsZoneId",
+ "azureStorageDFSSecPrivateDnsZoneId",
+ "azureStorageFilePrivateDnsZoneId",
+ "azureStorageQueuePrivateDnsZoneId",
+ "azureStorageQueueSecPrivateDnsZoneId",
+ "azureStorageStaticWebPrivateDnsZoneId",
+ "azureStorageStaticWebSecPrivateDnsZoneId",
+ "azureSynapseDevPrivateDnsZoneId",
+ "azureSynapseSQLODPrivateDnsZoneId",
+ "azureSynapseSQLPrivateDnsZoneId",
+ "azureWebPrivateDnsZoneId",
+ "azureVirtualDesktopHostpoolPrivateDnsZoneId",
+ "azureVirtualDesktopWorkspacePrivateDnsZoneId",
+ "azureSiteRecoveryBlobPrivateDnsZoneID",
+ "azureSiteRecoveryQueuePrivateDnsZoneID"
+)
+
+$results = @()
+
+foreach ($privateDnsZoneId in $privateDnsZoneIds) {
+ $camelCase = ""
+ $wasPreviousUpperI = $false
+
+ foreach ($character in $privateDnsZoneId.ToCharArray()) {
+ if ([System.Char]::IsUpper($character)) {
+ if (!$wasPreviousUpper) {
+ $camelCase += "_"
+ }
+
+ $wasPreviousUpper = $true
+ }
+ else {
+ $wasPreviousUpper = $false
+ }
+ $camelCase += $character.ToString().ToLower()
+ }
+
+ $camelCase = $camelCase.Replace("sql", "_sql_").Replace("dfs", "_dfs_").Replace("dsc", "_dsc_").Replace("signal_r", "_signal_r_").Replace("private_dns_zone_id", "_private_dns_zone_id_").Replace("___", "_").Replace("__", "_").Trim("_")
+ $finalName = $camelCase.Replace("_private_dns_zone_id", "").Replace("azure_", "").Trim("_")
+ $finalName = "private_dns_zone_$finalName"
+
+ $jsonObject = @{
+ "default_name" = $finalName
+ "policy_assignments" = @(
+ @{
+ "policy_assignment_name" = "Deploy-Private-DNS-Zones"
+ "parameter_names" = @(
+ $privateDnsZoneId
+ )
+ }
+ )
+ }
+ $results += $jsonObject
+}
+
+Write-Output $results | ConvertTo-Json -Depth 10
diff --git a/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 b/platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1
similarity index 99%
rename from .github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1
rename to platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1
index 115f87e..f85a04b 100644
--- a/.github/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1
+++ b/platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1
@@ -102,6 +102,7 @@ $parameters = @{
userAssignedIdentityResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.ManagedIdentity/userAssignedIdentities/placeholder"
dcrResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Insights/dataCollectionRules/placeholder"
dataCollectionRuleResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/placeholder/providers/Microsoft.Insights/dataCollectionRules/placeholder"
+ resourceType = "Microsoft.ManagedIdentity/userAssignedIdentities"
}
overrides = @{
sql_data_collection_rule_overrides = @{
diff --git a/.github/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1 b/platform/alz/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1
similarity index 100%
rename from .github/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1
rename to platform/alz/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1