Skip to content

Commit

Permalink
New custom policy DenyAction Delete UAMI used by AMA (#1662)
Browse files Browse the repository at this point in the history
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Sacha Narinx <Springstone@users.noreply.github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
  • Loading branch information
4 people authored Jun 6, 2024
1 parent 6ca76b7 commit 0c81c91
Show file tree
Hide file tree
Showing 8 changed files with 153 additions and 52 deletions.
2 changes: 1 addition & 1 deletion docs/wiki/ALZ-Policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ This management group contains all the platform child management groups, like ma
| **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled |
| **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled |
| **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled |
| **Do not allow deletion of resource types**\* | **Do not allow deletion of resource types** | `Policy Definition`, **Built-in** | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Assigned to deny the deletion of the User Assignment Managed Identity that is used for AMA. | DenyAction |
| **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction |

> \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future.
Expand Down
6 changes: 6 additions & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@ This article will be updated as and when changes are made to the above and anyth

Here's what's changed in Enterprise Scale/Azure Landing Zones:

### June 2024

#### Policy

- Added new custom policy [Do not allow deletion of specified resource and resource type](https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DeleteResources.html) that provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA. Assigned at the Platform Management Group, it blocks delete calls using the deny action effect.

### 🆕 AMA Updates

The ALZ Portal Accelerator has been enhanced with the latest AMA updates, ensuring a seamless and efficient management experience. 🚀
Expand Down
Binary file modified docs/wiki/media/ALZ Policy Assignments v2.xlsx
Binary file not shown.
18 changes: 12 additions & 6 deletions eslzArm/eslzArm.json
Original file line number Diff line number Diff line change
Expand Up @@ -1509,7 +1509,7 @@
"wsStoragePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsStoragePolicyAssignment.json')]",
"wsSynapsePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsSynapsePolicyAssignment.json')]",
"wsVirtualDesktopPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json')]",
"denyResourceDeletionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-ResourceDeletionPolicyAssignment.json')]"
"denyActionDeleteUAMIAMAPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENYACTION-DeleteUAMIAMAPolicyAssignment.json')]"
},
// Declaring deterministic deployment names
"deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]",
Expand Down Expand Up @@ -1618,7 +1618,7 @@
"pidCuaDeploymentNameNetworkingNone": "[take(concat('pid-', variables('cuaidNetworkingNone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
"pidCuaDeploymentNameNetworkingHubSpoke": "[take(concat('pid-', variables('cuaidNetworkingHubSpoke'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
"pidCuaDeploymentNameNetworkingVirtualWan": "[take(concat('pid-', variables('cuaidNetworkingVirtualWan'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
"denyResourceDeletionPolicyDeploymentName": "[take(concat('alz-DenyResourceDeletion', variables('deploymentSuffix')), 64)]",
"denyActionDeleteUAMIAMAPolicyDeploymentName": "[take(concat('alz-DenyActionDeleteUAMI', variables('deploymentSuffix')), 64)]",
// Workload Specific Compliance Initiatives
"wsCMKDeploymentName": "[take(concat('alz-wsCMK', variables('deploymentSuffix')), 35)]",
"wsAPIMDeploymentName": "[take(concat('alz-wsAPIM', variables('deploymentSuffix')), 35)]",
Expand Down Expand Up @@ -4374,7 +4374,7 @@
"condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').denyResourceDeletionPolicyDeploymentName]",
"name": "[variables('deploymentNames').denyActionDeleteUAMIAMAPolicyDeploymentName]",
"scope": "[variables('scopes').platformManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
Expand All @@ -4384,11 +4384,17 @@
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').denyResourceDeletionPolicyAssignment]"
"uri": "[variables('deploymentUris').denyActionDeleteUAMIAMAPolicyAssignment]"
},
"parameters": {
"listOfResourceTypesDisallowedForDeletion": {
"value": "[parameters('listOfResourceTypesDisallowedForDeletion')]"
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"resourceName": {
"value": "[variables('platformResourceNames').userAssignedIdentity]"
},
"resourceType": {
"value": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
Expand All @@ -18,22 +24,27 @@
],
"defaultValue": "DenyAction"
},
"listOfResourceTypesDisallowedForDeletion": {
"type": "Array",
"resourceName": {
"type": "string",
"metadata": {
"description": "Provide the name of the resource that you want to protect from accidental deletion."
}
},
"resourceType": {
"type": "string",
"metadata": {
"displayName": "Resource types that cannot be deleted",
"description": "The list of resource types that cannot be deleted."
"description": "Provide the resource type that you want to protect from accidental deletion."
}
}
},
"variables": {
"policyDefinitions": {
"denyActionResourceDeletion": "/providers/Microsoft.Authorization/policyDefinitions/78460a36-508a-49a4-b2b2-2f5ec564f4bb"
"denyActionResourceDeletion": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DeleteResources')]"
},
"policyAssignmentNames": {
"denyActionResourceDeletion": "DenyAction-Resource-Del",
"description": "This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.",
"displayName": "Do not allow deletion of resource types"
"denyActionResourceDeletion": "DenyAction-DeleteUAMIAMA",
"description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.",
"displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA"
}
},
"resources": [
Expand All @@ -50,8 +61,11 @@
"effect": {
"value": "[parameters('effect')]"
},
"listOfResourceTypesDisallowedForDeletion": {
"value": "[parameters('listOfResourceTypesDisallowedForDeletion')]"
"resourceName": {
"value": "[parameters('resourceName')]"
},
"resourceType": {
"value": "[parameters('resourceType')]"
}
}
}
Expand Down
Loading

0 comments on commit 0c81c91

Please sign in to comment.